IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

R Atkinson <ran.atkinson@gmail.com> Tue, 23 December 2008 22:48 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 116813A6B3B; Tue, 23 Dec 2008 14:48:39 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 270203A6B48 for <opsec@core3.amsl.com>; Tue, 23 Dec 2008 14:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQym7D39Y+w5 for <opsec@core3.amsl.com>; Tue, 23 Dec 2008 14:48:36 -0800 (PST)
Received: from mail-gx0-f13.google.com (mail-gx0-f13.google.com [209.85.217.13]) by core3.amsl.com (Postfix) with ESMTP id 341803A67F2 for <opsec@ietf.org>; Tue, 23 Dec 2008 14:48:35 -0800 (PST)
Received: by gxk6 with SMTP id 6so2389486gxk.13 for <opsec@ietf.org>; Tue, 23 Dec 2008 14:48:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=B+Rczed6GC8/6p8iHDWZZPcR9hUBcMZNhEk2ryDh70E=; b=p52U+VSRX1hLwgdcji0Hz4ep+yyqnnES+PeUfCqsgqbcEiosE3R9rv9u6ZUtkMhgB3 /U3MLn4YG+XSMgBj0EKqYoJ/y1h5gJwjujrWhu2u0nw55iJIkz1E7ovs175RCWW8M5Ca 273qw02I6m1yygR+Zye7JITH9YnrLDbdtvuBY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=Fk4MOYdj0mi7BHTmCbHJI78epNqPeGPo8sk745HehrzctTxwpGPJAN82+1POpNyzbh CaCrZFQ0mNE8mWjeWCT5aCWYLBh0Y+F1au6qtuvSiZ0dAMj8ta1wbtWDV7gFKTQpi704 v8awdu6t6ORg1fMpnYZwzl88wk+3xDfMWN6fc=
Received: by 10.151.14.5 with SMTP id r5mr6246990ybi.248.1230072505774; Tue, 23 Dec 2008 14:48:25 -0800 (PST)
Received: from ?10.30.20.71? (pool-72-84-80-181.nrflva.fios.verizon.net [72.84.80.181]) by mx.google.com with ESMTPS id o29sm926761elf.9.2008.12.23.14.48.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 23 Dec 2008 14:48:25 -0800 (PST)
Message-Id: <4A20D9A3-5A0B-4A11-AF7E-0773E0519B23@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <77ead0ec0812231021g2a9b84a5q70533d5e0d74f7b4@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 23 Dec 2008 17:48:24 -0500
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <77ead0ec0812160927j77bf42c6mbccef8ccf55d1e16@mail.gmail.com> <90F75653-21D6-4D2B-9472-52F2BDF7510D@gmail.com> <77ead0ec0812161118l3ca37732m541deb4c716a8f42@mail.gmail.com> <0C823E84-78EE-4234-9AD8-20688B0F8F55@gmail.com> <77ead0ec0812161616r5cc782c5j69415f75d4aa82bb@mail.gmail.com> <7EBC9C5C-EDF9-4CDD-8E1B-B9D05656ACAA@gmail.com> <494D48B6.9090302@bogus.com> <77ead0ec0812222113m28f91093ke6512a5d7a287b0c@mail.gmail.com> <1D5F3F5F-4357-4E25-BEDE-35300949EDB8@gmail.com> <77ead0ec0812231021g2a9b84a5q70533d5e0d74f7b4@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

On  23 Dec 2008, at 13:21, Vishwas Manral wrote:
> One more interesting thing I noticed was that we are reccomending
> HMAC-SHA-1 over Keyed-MD5 for OSPF and RIP do you agree to this part?
>
> Thanks,
> Vishwas
> =====================================================
>
>   For OSPF implementations to interoperate, they must support one or
>   more authentication algorithms in common that can be used in the
>   cryptographic scheme of authentication.
>
>   This section details the authentication algorithm requirements for
>   standards conformant OSPF implementations.
>
>   Old   Old         New
>   Req.  RFC         Requirement  Authentication Algorithm
>   ---   ------      -----------  ------------------------
>   MUST  2328        MUST-        Keyed MD5
>    -     -          SHOULD+      HMAC-SHA-1 [OSPF-HMAC]
>    -     -          MAY+         HMAC-SHA-256/HMAC-SHA-384/HMAC- 
> SHA-512
>

I don't think the current knowledge to hand supports the
policy in the text you've quoted above.

In the past, BEFORE the understanding that SHA has "serious
attacks", then encouraging the use of SHA might have been
widely deemed reasonable, but given the current data
I don't see how one can draw that same conclusion now.

Cheers,

Ran
rja@extremenetworks.com

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email