Re: [OPSEC] minutes part 2

"Glen Kent" <glen.kent@gmail.com> Thu, 18 December 2008 01:14 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38AF13A6B56; Wed, 17 Dec 2008 17:14:34 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30AB13A6B56 for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:14:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwkSKiyndp0x for <opsec@core3.amsl.com>; Wed, 17 Dec 2008 17:14:32 -0800 (PST)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by core3.amsl.com (Postfix) with ESMTP id 04A4E3A66B4 for <opsec@ietf.org>; Wed, 17 Dec 2008 17:14:31 -0800 (PST)
Received: by fg-out-1718.google.com with SMTP id d23so92071fga.41 for <opsec@ietf.org>; Wed, 17 Dec 2008 17:14:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=bxoMl5hoL/pnSskeCygUSMrZtNG1JjnrKKnTS8wpI2U=; b=FxNvrtclwCkPobsYBOyk5tjrszUKL8lolluPgYKhnVtS7T/snEApozz6FaoFT4GiZE Kbb3ol+KklUZNbC7dnT3l9+yLTk7n0hPy6q1FNVJ/NfyK7blbhzfjARQMdEoA9+EJyds vuAJsziiBw7SGLVOmCx8s5Yvfroi1cr7TIN0I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=vTGHpsONCc2VjSHzcUlhj1cUWkoYHquYtI0Q3ECBa5iQo33IXr8LQpUTCmymlD0Uyc Rf5JLKAQPvZ+WMTyS9vL0zt7fgehU3f6nvhXnNeKbhcrYMSQvMLXLFYAeL3szE1GY6E4 7BuxWktk7gn48l0aONIrMOq8ivBmYNHE7TQeQ=
Received: by 10.103.193.13 with SMTP id v13mr524101mup.125.1229562862941; Wed, 17 Dec 2008 17:14:22 -0800 (PST)
Received: by 10.103.160.12 with HTTP; Wed, 17 Dec 2008 17:14:22 -0800 (PST)
Message-ID: <92c950310812171714o1576776ax4f0272209ebb26a8@mail.gmail.com>
Date: Thu, 18 Dec 2008 06:44:22 +0530
From: Glen Kent <glen.kent@gmail.com>
To: R Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

> 1:  OSPF with Digital Signatures
>>
>> OSPF with Digital Signatures is an existing mechanism (RFC-2154).
>> Is it discussed at the same level of detail as other mechanisms ?

Please stop harping about 2154. Its experimental and you may want to
read the Tao of IETF to understand what that means.

>
>
> 2:  Filtering of IGP packets
>>>
>>> I have mentioned cases where they may not be able to be filtered.
>>
>> Which specific cases ? Please provide a URL for your note to the OPsec
>> list where you detailed those cases. I have looked, and I can't find
>> that note in the OPsec list web archives, terribly sorry.
>
> This is an immediate operational security issue, if true.
> I'm sure I'm not the only person who'd like to understand
> the claim more precisely.

I think the context here was IPSec since ESP packets cannot be filtered.

>
>
> 3: User interest in SHA mechanisms for IGP authentication
>>
>> Do you know of anyone other than US DoD that wants this ?
>> (US DoD are the only ones that I can identify, and they are
>> saying their interest is only for "policy reasons".)
>>
>> If so, which users ? which RFPs ?

Providers may not be open in accepting this for various policy,
political reasons.

>
>
> 4:  Availability of SHA mechanisms for IGP authentication
>>
>> Further, there are no known shipping implementations of
>> SHA authentication for any IETF-specified IGP.
>> (I don't know of any that are even "in progress".)
>>>
>>> We know of a few including a big router vendor. :))
>
> Which ?  How many ?  When ?
> Are they shipping now or in progress now ?

Vendors may not be always willing to share this information.

Glen
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec