Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
"Bhatia, Manav (Manav)" <manav@alcatel-lucent.com> Thu, 26 February 2009 07:04 UTC
Return-Path: <manav@alcatel-lucent.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CADD428C257 for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 23:04:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1M0bU-cEfkvw for <opsec@core3.amsl.com>; Wed, 25 Feb 2009 23:04:28 -0800 (PST)
Received: from smail5.alcatel.fr (smail5.alcatel.fr [62.23.212.27]) by core3.amsl.com (Postfix) with ESMTP id 52C193A67DA for <opsec@ietf.org>; Wed, 25 Feb 2009 23:04:27 -0800 (PST)
Received: from FRMRSSXCHHUB03.dc-m.alcatel-lucent.com (FRMRSSXCHHUB03.dc-m.alcatel-lucent.com [135.120.45.63]) by smail5.alcatel.fr (8.13.8/8.13.8/ICT) with ESMTP id n1Q74b4P031773 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 26 Feb 2009 08:04:40 +0100
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (135.250.12.35) by FRMRSSXCHHUB03.dc-m.alcatel-lucent.com (135.120.45.63) with Microsoft SMTP Server (TLS) id 8.1.311.2; Thu, 26 Feb 2009 08:04:39 +0100
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Thu, 26 Feb 2009 12:32:37 +0530
From: "Bhatia, Manav (Manav)" <manav@alcatel-lucent.com>
To: Joel Jaeggli <joelja@bogus.com>, Vishwas Manral <vishwas.ietf@gmail.com>
Date: Thu, 26 Feb 2009 12:32:34 +0530
Thread-Topic: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
Thread-Index: AcmX1vUIP1ssZwlmTxy22LaiARFUYwACBwDg
Message-ID: <7C362EEF9C7896468B36C9B79200D83579201541@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <77ead0ec0902232009s260cee0dn4f81390ddf698e1c@mail.gmail.com> <92c950310902240904y31537b3cn1837b4a78ba4a40b@mail.gmail.com> <77ead0ec0902241019n3342915q7777c7475b5bda5a@mail.gmail.com> <49A5C3F0.7040909@bogus.com> <77ead0ec0902252018o532b6f73qe9358c349266a6fa@mail.gmail.com> <49A62EF6.9070704@bogus.com>
In-Reply-To: <49A62EF6.9070704@bogus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 155.132.188.13
Cc: opsec wg mailing list <opsec@ietf.org>
Subject: Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 07:04:29 -0000
Hi, The latest version of the above draft can be found here: http://www.ietf.org/internet-drafts/draft-bhatia-manral-igp-crypto-requirements-03.txt To cite one example, the draft in section 4.2 recommends the following for OSPFv2: "This section details the authentication algorithm requirements for standards conformant OSPF implementations. Keyed MD5 is a MUST as defined in [RFC2328]. It is our understanding that this will get superseded by HMAC-SHA-1 as defined in [OSPF-HMAC]. Keyed MD5 thus MUST be implemented, but its use may get deprecated in future. Implementations should start providing support for HMAC-SHA-1 as this will get promoted to a MUST in the future. Operators should meanwhile start migrating towards HMAC-SHA-1 if they want to use stronger cryptographic algorithms for authenticating their OSPFv2 packets. Implementations may start providing support for HMAC-SHA-256/HMAC-SHA-384/HMAC-SHA-512 as these algorithms may get upgraded to a SHOULD in the future." This way we've retained the IETF terminology while giving an idea of where a particular algorithm is headed in the future. Cheers, Manav P.S. [OSPF-HMAC] Bhatia, M., Manral, V., et al., "OSPF HMAC-SHA Cryptographic Authentication", Work in Progress This draft is very mature, and an implementation is already underway. It should be "WG last called" pretty soon in the OSPF WG. [ISIS-HMAC] mentioned in the draft has already been published as RFC 5310 (http://tools.ietf.org/rfc/rfc5310.txt). > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] > On Behalf Of Joel Jaeggli > Sent: Thursday, February 26, 2009 11.26 AM > To: Vishwas Manral > Cc: opsec wg mailing list > Subject: Re: [OPSEC] draft-bhatia-manral-igp-crypto-requirements > > Vishwas Manral wrote: > > Hi Joel, > > > > Thanks for your comment on the document. > > > >> We have the issue of vulnerable today vs problematic today, or > >> tomorrow... I feel very comfortable saying there are some > places where > >> md5 is used today that I'd really prefer to not be using > it in 5 years. > > If I understood you right, you are saying stating the fact that its > > used now though we would prefer it was not used. That was the exact > > idea of MUST-, SHOULD+ etc we had used in the document earlier. > > I side with Sandra Murphy on the value of that particular language. If > my concern is that I should not be running something in the future I > want to simply state that. we take that concern expressed in an > informational document back to implementation. > > > It gives an idea of direction of where the support of a particular > > algorithm is heading towards. However based on the comments in the > > list we modified the document to use standard IETF terminology. > > Which I concur with. > > joel > > > Thanks, > > Vishwas
- [OPSEC] draft-bhatia-manral-igp-crypto-requiremen… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Glen Kent
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Joel Jaeggli
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Joel Jaeggli
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Bhatia, Manav (Manav)
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… John Smith
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Pasi.Eronen
- Re: [OPSEC] draft-bhatia-manral-igp-crypto-requir… Vishwas Manral