IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

R Atkinson <ran.atkinson@gmail.com> Wed, 17 December 2008 02:19 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E88F3A6A7C; Tue, 16 Dec 2008 18:19:44 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06B783A6A7C for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 18:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwM9GCAO5LhD for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 18:19:43 -0800 (PST)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29]) by core3.amsl.com (Postfix) with ESMTP id D8DB33A68F9 for <opsec@ietf.org>; Tue, 16 Dec 2008 18:19:42 -0800 (PST)
Received: by yw-out-2324.google.com with SMTP id 3so1431646ywj.49 for <opsec@ietf.org>; Tue, 16 Dec 2008 18:19:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=S5A+Vs4mGHatAghpJR3ZK+RliO0RmJGfbb/sgX6ra5I=; b=r0FcGazlsgag7K+Zj6cFR8DPSeTlODgiP+++skjR/c37YfddnCoh/h9QRoi8zrvdaq ubnMyjDqiwLm4EfjLbL0LxBjq0sC2UI+rTDOPftZuiwR3ALgJBtqLBSyF4TJPX0luZ0T zscfhMi1pJhmt5ku+MiN+SapH1TBgq4HCCzHo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=neCKdh+sGFDz1s/ibRKKqTj9h5F2ZmSpmgt6CauaJre8DVpfkWu8W9bbtzEchLOKO+ mPKEPM/ytRramRxp6g1tM2JMytpczMtq3jPyA6C8zw0SwRG4XV92/Gm3tsOv4hyNN+dh 4G6KNZr0+fE2qybt1i6UuxJuVYdMw97i9//aU=
Received: by 10.64.7.12 with SMTP id 12mr145870qbg.36.1229480375106; Tue, 16 Dec 2008 18:19:35 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 28sm402396qbw.16.2008.12.16.18.19.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 18:19:34 -0800 (PST)
Message-Id: <69BA9195-6869-45F1-832F-9040901F0C9F@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 21:19:31 -0500
References: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com> <77ead0ec0812161759g4900bd98h6ad6c07bb0d81fe3@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

On  16 Dec 2008, at 20:59, Vishwas Manral wrote:
> No, it is not discussed in the document. The RFC you mention is an
> Experimental RFC. The draft talks about "Issues with Existing
> Cryptographic Mechanisms with Routing Protocols". We can discuss the
> same however (though I would feel it may not exactly fit the draft).

It would be helpful to discuss also, as that is an IGP authentication
mechanism that we have today and that could be used.  I'm told that
there is at least one implementation, although I'm unclear on how
available that implementation might be.

> http://www.ietf.org/mail-archive/web/ipsec/current/thrd5.html is a
> link to the first page of the discussion. The discussion is a long
> discussion

Thank you for the URLs.

> We have customers who have asked for the crypto algorithms.

Other than US DoD ?    Very Interesting.
Are they Enterprise users ?  Service Providers ? other ?

Is this for policy reasons or does a particular threat model
drive them in that direction ?

> We are implementing this and so is Cisco (this has been brought to
> your notice in private mails earlier but you still bring the issue).

I do not have such any private emails; they must have been lost in  
transit.

Thanks for the clarity.  So at least 2 implementations are reported
to be in progress, and none are available now.  That is useful to  
understand.

> It sounds interesting that you want to know vendors implementing some
> solutions because we are writing an issues document with already
> existing mechanisms.

Your assumption is incorrect.

I want to know because the OPsec meeting minutes seemed to suggest
that someone proposed this WG should recommend SHA mechanisms over
MD5 mechanisms, and I was not aware of any active work to implement
any SHA mechanisms.

>> 5:  Claims made by existing IGP authentication documents
>>>>
>>>> However if you see most drafts "security considerations" section,
>>>> they state that using cryptographic authentication is a panicia  
>>>> for all
>>>> evils.
>>
>> I can't find even one RFC or I-D that says anything similar
>> to "using cryptographic authentication is a panacea for all evils".
>>
>> I checked a bunch of documents, which I enumerated in an earlier
>> email; none contained any such language.
>>
>> Which specific document does this ?  and on which page ?
> Please check the drafts in this page
> http://www.ietf.org/html.charters/ospf-charter.html .
> As an example see the first draft in the list it states
> http://www.ietf.org/internet-drafts/draft-ietf-ospf-lls-05.txt
>
> Security Considerations
>
>   The described technique provides the same level of security as  
> OSPFv2
>   protocol by allowing LLS data to be authenticated using the same
>   cryptographic authentication that OSPFv2 uses (see Section 2.5 for
>   more details).
>
>   OSPFv3 utilizes IPSec for authentication and encryption  
> [OSPFV3AUTH].
>   With IPsec, the AH (Authentication Header), ESP (Encapsulating
>   Security Payload), or both are applied to the entire OSPFv3 payload
>   including the LLS block.

That does not say either that cryptographic authentication is a panacea
or that cryptographic authentication is perfect.  So the quote does not
support your original claim (from the top of Section 5 of my note).

The text you quote above simply says that it provides "the same level of
security" ... "by using the same cryptographic authentication".   The
text you quote from that I-D does not even claim that the existing
cryptographic authentication is a sufficient level of security.  Its
claims are really quite narrow and quite mild.

> Our aim is to bring forward the issues with the cryptographic
> mechanisms. The issues with the cryptographic mechanisms are not
> stated in the base RFC either and I have mentioned this to you
> clearly.

I quoted the base OSPF RFC to this list earlier today, where that RFC
indicated that the cryptographic authentication was focused on
"passive attack" prevention and showed that that RFC did not claim the
cryptographic authentication to be perfect or to be a panacea.  So the
OSPF RFC does not support your quoted claim either.

> Because most RFC's draft seem to state something similar to
> the above.

The actual IGP authentication RFCs and I-Ds (which I did cite)
do not do so.  They are what users and implementers read when
studying IGP authentication.

Further, the "examples" you have cited so far do not support your claim
at the top of this section (Section 5 of my email).

Thank you for the speedy reply.

Yours,

Ran Atkinson
rja@extremenetworks.com



_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email