Re: [OPSEC] minutes part 2
R Atkinson <ran.atkinson@gmail.com> Wed, 17 December 2008 02:19 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E88F3A6A7C; Tue, 16 Dec 2008 18:19:44 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06B783A6A7C for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 18:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwM9GCAO5LhD for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 18:19:43 -0800 (PST)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by core3.amsl.com (Postfix) with ESMTP id D8DB33A68F9 for <opsec@ietf.org>; Tue, 16 Dec 2008 18:19:42 -0800 (PST)
Received: by yw-out-2324.google.com with SMTP id 3so1431646ywj.49 for <opsec@ietf.org>; Tue, 16 Dec 2008 18:19:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=S5A+Vs4mGHatAghpJR3ZK+RliO0RmJGfbb/sgX6ra5I=; b=r0FcGazlsgag7K+Zj6cFR8DPSeTlODgiP+++skjR/c37YfddnCoh/h9QRoi8zrvdaq ubnMyjDqiwLm4EfjLbL0LxBjq0sC2UI+rTDOPftZuiwR3ALgJBtqLBSyF4TJPX0luZ0T zscfhMi1pJhmt5ku+MiN+SapH1TBgq4HCCzHo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=neCKdh+sGFDz1s/ibRKKqTj9h5F2ZmSpmgt6CauaJre8DVpfkWu8W9bbtzEchLOKO+ mPKEPM/ytRramRxp6g1tM2JMytpczMtq3jPyA6C8zw0SwRG4XV92/Gm3tsOv4hyNN+dh 4G6KNZr0+fE2qybt1i6UuxJuVYdMw97i9//aU=
Received: by 10.64.7.12 with SMTP id 12mr145870qbg.36.1229480375106; Tue, 16 Dec 2008 18:19:35 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 28sm402396qbw.16.2008.12.16.18.19.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 18:19:34 -0800 (PST)
Message-Id: <69BA9195-6869-45F1-832F-9040901F0C9F@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 21:19:31 -0500
References: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com> <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
On 16 Dec 2008, at 20:59, Vishwas Manral wrote: > No, it is not discussed in the document. The RFC you mention is an > Experimental RFC. The draft talks about "Issues with Existing > Cryptographic Mechanisms with Routing Protocols". We can discuss the > same however (though I would feel it may not exactly fit the draft). It would be helpful to discuss also, as that is an IGP authentication mechanism that we have today and that could be used. I'm told that there is at least one implementation, although I'm unclear on how available that implementation might be. > http://www.ietf.org/mail-archive/web/ipsec/current/thrd5.html is a > link to the first page of the discussion. The discussion is a long > discussion Thank you for the URLs. > We have customers who have asked for the crypto algorithms. Other than US DoD ? Very Interesting. Are they Enterprise users ? Service Providers ? other ? Is this for policy reasons or does a particular threat model drive them in that direction ? > We are implementing this and so is Cisco (this has been brought to > your notice in private mails earlier but you still bring the issue). I do not have such any private emails; they must have been lost in transit. Thanks for the clarity. So at least 2 implementations are reported to be in progress, and none are available now. That is useful to understand. > It sounds interesting that you want to know vendors implementing some > solutions because we are writing an issues document with already > existing mechanisms. Your assumption is incorrect. I want to know because the OPsec meeting minutes seemed to suggest that someone proposed this WG should recommend SHA mechanisms over MD5 mechanisms, and I was not aware of any active work to implement any SHA mechanisms. >> 5: Claims made by existing IGP authentication documents >>>> >>>> However if you see most drafts "security considerations" section, >>>> they state that using cryptographic authentication is a panicia >>>> for all >>>> evils. >> >> I can't find even one RFC or I-D that says anything similar >> to "using cryptographic authentication is a panacea for all evils". >> >> I checked a bunch of documents, which I enumerated in an earlier >> email; none contained any such language. >> >> Which specific document does this ? and on which page ? > Please check the drafts in this page > http://www.ietf.org/html.charters/ospf-charter.html . > As an example see the first draft in the list it states > http://www.ietf.org/internet-drafts/draft-ietf-ospf-lls-05.txt > > Security Considerations > > The described technique provides the same level of security as > OSPFv2 > protocol by allowing LLS data to be authenticated using the same > cryptographic authentication that OSPFv2 uses (see Section 2.5 for > more details). > > OSPFv3 utilizes IPSec for authentication and encryption > [OSPFV3AUTH]. > With IPsec, the AH (Authentication Header), ESP (Encapsulating > Security Payload), or both are applied to the entire OSPFv3 payload > including the LLS block. That does not say either that cryptographic authentication is a panacea or that cryptographic authentication is perfect. So the quote does not support your original claim (from the top of Section 5 of my note). The text you quote above simply says that it provides "the same level of security" ... "by using the same cryptographic authentication". The text you quote from that I-D does not even claim that the existing cryptographic authentication is a sufficient level of security. Its claims are really quite narrow and quite mild. > Our aim is to bring forward the issues with the cryptographic > mechanisms. The issues with the cryptographic mechanisms are not > stated in the base RFC either and I have mentioned this to you > clearly. I quoted the base OSPF RFC to this list earlier today, where that RFC indicated that the cryptographic authentication was focused on "passive attack" prevention and showed that that RFC did not claim the cryptographic authentication to be perfect or to be a panacea. So the OSPF RFC does not support your quoted claim either. > Because most RFC's draft seem to state something similar to > the above. The actual IGP authentication RFCs and I-Ds (which I did cite) do not do so. They are what users and implementers read when studying IGP authentication. Further, the "examples" you have cited so far do not support your claim at the top of this section (Section 5 of my email). Thank you for the speedy reply. Yours, Ran Atkinson rja@extremenetworks.com _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- [OPSEC] Prospective issue with IPsec ESP-NULL & I… R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] FW: minutes part 2 Smith, Donald
- Re: [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson