IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

R Atkinson <ran.atkinson@gmail.com> Tue, 16 December 2008 23:40 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7435E3A68E0; Tue, 16 Dec 2008 15:40:25 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE4A23A68E0 for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 15:40:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQsCFXMTnkMb for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 15:40:22 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id DFF023A68A9 for <opsec@ietf.org>; Tue, 16 Dec 2008 15:40:21 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 3so791677qwe.31 for <opsec@ietf.org>; Tue, 16 Dec 2008 15:40:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:subject :mime-version:date:references:x-mailer; bh=ZkBpezbbIANnn2LIKSS5FKO2axv0efQQRBiVN5Yb018=; b=xUR2gLcrC90ezDeKiFDxzWUabmtUUEyk1L5D3tuESqpL4gxBKH4spus2T1dUikwW8C G23L8aP8yQYToQOmnJeZRJFUiwjd8yBcXPNW68VpwwgwhaQ1HXyvBb1qGCa/AMtyJtnZ erZ/cnkWlSi4pMcdDoMY4Cnh0xZL338f0p/1U=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:subject:mime-version:date:references :x-mailer; b=hbmPnZfR0z2mKKEi6h6GipKYFEro5wA7Lwk0UgBW/d95REZOtXnZrg9TR9el3l/Y2x lJNps0PMnDewPNMcbAd7XwJtR5lIznQt2Mes6UDy3agZ+aCgQqwB4jJykAc99y1fVMlz M4q5udDgcJ0IUZI36nuFmq8wr9CJJvf8Kd8vA=
Received: by 10.214.114.17 with SMTP id m17mr63188qac.21.1229470813508; Tue, 16 Dec 2008 15:40:13 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 7sm1756229ywo.57.2008.12.16.15.40.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 15:40:13 -0800 (PST)
Message-Id: <0C823E84-78EE-4234-9AD8-20688B0F8F55@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
In-Reply-To: <77ead0ec0812161118l3ca37732m541deb4c716a8f42@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 18:40:10 -0500
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <77ead0ec0812160927j77bf42c6mbccef8ccf55d1e16@mail.gmail.com> <90F75653-21D6-4D2B-9472-52F2BDF7510D@gmail.com> <77ead0ec0812161118l3ca37732m541deb4c716a8f42@mail.gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

On  16 Dec 2008, at 14:18, Vishwas Manral wrote:
>  Let me again state that
> this document lists issues with existing cryptographic mechanisms. It
> is not a solutions document, if we have solutions like Digital
> Signatures we can have the mechanisms.

I'm not clear which document you are referring to.

My comments were reactions to the meeting minutes,
as the Subject line indicated and the quoted text indicated.

OSPF with Digital Signatures is an existing mechanism (RFC-2154).
Is it discussed at the same level of detail as other mechanisms ?

> If you do not agree to the solutions drafts of
> which you are a co-author (and the work is in
> other working groups), we can see what can be done.

I can't parse the above, terribly sorry.

> Please see the discussion on the IPsec Maintainance working group.
> Check the topic "Deep Inspecting ESP-NULL Packets" and the related
> draft solutions currently being proposed. However this is not in the
> scope of this document or discussion. If you have issues with this let
> us discuss the same in the right forum.

To the extent you are describing an operational security matter
with routing protocols and IPsec, which seemed to be your prior claim,
then that is indeed within charter for the IETF OPsec WG (i.e. here).

> I opened the base OSPF RFC Page 242 please note that they talk about
> only security when athentication is enabled. They do not delve into
> issues that might occur with the security mechanisms themselves into
> picture.

Here are some references:
	RFC-2082
	RFC-4822
	RFC-5304
	draft-rja-ospf-hmac-shs-00.txt [1]

Some folks on this list might or might not have read:
	draft-ietf-isis-hmac-sha-07.txt
	draft-ietf-ospf-hmac-sha-03.txt
	draft-ietf-ospf-md5-02 [1]

[1] A search engine is best to find this, as it is defunct.

>>> Our aim is to bring out issues even when cryptographic
>>> authentication is available.
>>
>> The limitations are generally already documented in the IGP
>> authentication documents' "Security Considerations" sections.
> No it isnt.

Generally, they have been, for example in the references above.

> Can you please map the RFC2328 security section with the
> OSPF vulnerabilities mentioned. Please do the same exercise for BFD,
> or for other protocols. It will be clear what we are talking about.

RFC-2328, Page 243, makes a narrow precise claim:

    "...is believed to be secure against passive attacks and
    provide significant protection against active attacks."

No claim that the mechanism is secure against all nor
even against most active attacks is made by the OSPF RFC.

Separately, the several mechanisms' various limitations
are widely understood within the Internet community,
as was evident throughout the KMART BOF.  The discussion
there was not so much about the current issues, which were
believed to be well understood, as about possible futures.

>> - All IGP attacks would have to be insider attacks,
>> because external packets are normally filtered anyway.
> I have mentioned cases where they may not be able to be filtered. This
> is an old discussion please go through the IPsec archives and you will
> get the gist.

Which specific cases ?

Please provide a URL for your note to the OPsec list
where you detailed those cases.  I have looked, and
I can't find that note in the OPsec list web archives,
terribly sorry.

>> - I am not aware of any IGP attacks ever occurring in the
>> deployed world.  There might be some, but I am not aware
>> of any published reports during the past ~20 years.
>> - If someone has seen an actual active attack on any IGP,
>> that would be VERY interesting to learn more about.
> Fair enough!!!

Thank you.  So, for now, we don't know of any active attacks
being undertaken against any IGP.  There might have been some,
I think we all agree, but we don't actually know of any.

So we agree that we don't have any known active attacks,
and that we have existing mechanisms that users believe
are suitable for their threat environment.

>> If one wants more, then the work that other folks have done with
>> "Digital Signatures" (RFC-2154) seems like the right direction to go.
>> That approach provides MUCH more comprehensive protections than
>> any other current mechanisms.  (This is all a rehash of comments
>> I made during the KMART BOF at IETF/PHL, not all of which comments
>> made it into the minutes.)

> If you made comments in the KMART which were not shared,
> please share them with us.

(My last note to the OPsec list repeated the main comments from me
that seem to be missing from the KMART meeting minutes.)

> If you have some Digital Signature based algorithm in
> mind please bring it up in the right context in the right forum. We
> have had discussions about this in the SAAG group too.

IETF OPsec is an appropriate forum to discuss both risks and
possible future directions for IGPs in general.  (Of course,
any protocol specification work would need to be undertaken
elsewhere. :-)

>> RFC-2154 does not use IPsec.  So a comment about IPsec
>> is orthogonal to the discussion.  Please go read RFC-2154.
>
> The comments may be Orthogonal but if I am not mistaken they include
> the use of Public Key Cryptography. We have problems of getting to the
> PKI before we have the route etc, and this problem has been debated
> too. Can you discuss why a mechanism of using IPsec is not better than
> the mechanism you mention?

Ah, try to change the topic and ask a different question,
rather than read RFC-2154 and comment upon it.  Interesting.

In general, I have long suggested that AH is a reasonable approach
to protecting IGPs.  AH, or for that matter ESP, isn't perfect
either, but using IPsec is different and also seems like a
reasonable approach that someone might take.

Historically, one of the primary reasons that the IGPs have their
own mechanisms was that AH/ESP availability in routers during the
middle 1990s was either limited or non-existent (depending on
which router platform one considers).  Had IPsec been widely
available in routers, and implemented in a way that facilitated
its use with IGP authentication, the IETF might well have avoided
going down the path of per-IGP authentication mechanisms.
The same basic history applies to TCP MD5 to protect BGP,
and explains why AH/ESP aren't widely used today to protect BGP.

(And, just to be clear, I have no issues with anyone proposing
or defining new mechanisms.  My own sense -- opinion -- is that
for a new mechanism to be "interesting" it either needs to be
a lot simpler to deploy than what is on the shelf right now
and with similar risk reduction properties OR the new mechanism
needs to provide significantly better risk reduction properties.
RFC-2154 provides significantly better risk reduction properties
than any of the existing mechanisms.  Ultimately, the market
decides what gets deployed, of course.)

I don't think, however, that the facts available right now
justify this WG formally encouraging users to move to SHA
(or HMAC-SHA) authentication from some other existing IGP
authentication approach.

> I have suggested a way like using BTNS for the same.

Great.  It is always good to have more ideas for the
community to consider.

> I said it is not mentioned in the draft. The draft is an issues draft
> and does not talk about using MD5 or SHA1, it gives issues with the
> current crypto mechanisms.

My comments were on the meeting minutes, as the Subject line and the
text I quoted indicated, not on any particular draft.

I'm unclear which draft you are referring to above.

> Well we have disccused this and you are on the CC list for the same. I
> do not have contacts in all the vendors, so cannot tell you for now.

I haven't seen any email indicating that anyone was actually
implementing any of the SHA mechanisms.  Perhaps that note
got lost in transit someplace.

> Once the draft is to be made a standards track we can do the
> implementation report and get the data. Again this is an aside and
> this is not part of the draft.

Users would be interested to know whether/when implementations
are likely to exist.

The OPsec meeting minutes indicated (perhaps just confusing wording ?)
that a proposal was made that this OPsec WG should encourage all users
to move to HMAC-SHA  -- which is very difficult to do if multiple
implementations are not readily available.

>>> The urge is to get into HMAC-SHA1 not SHA1.
>>
>> Moving to HMAC-SHA1 does NOT necessarily improve security
>> over current algorithms.
>>
>> Moving to HMAC-SHA1 does mean that the CPU on a router
>> receiving a DOS attack via some IGP would be more severely
>> impacted (because SHA1 is more computationally expensive
>> than MD5).[2]
>>
>> In fact, there are no known attacks (so far) upon any of these:
>>       - Keyed MD5
>>       - HMAC MD5
>>       - HMAC SHA/SHA1/SHA2
>>
>> [If someone knows of a published attack on any of the above,
>> please do post a full bibliographic citation here, so that WG
>> participants can go find/read the paper in question.
>> If some new discovery has happened, I'm personally quite keen
>> to learn about it. :-]
>
> I agree so am I and the rest of the world.

So you agree above that HMAC-SHA is not necessarily stronger,
and has similar properties to the existing mechanisms --
so far as any of us are aware right now.

And we all hope that if anyone hears otherwise, they will share
that information here.

To Summarise:

 From the meeting minutes, and given the agreement just above,
it seems that the proposal discussed in the meeting minutes was
to encourage users to move to a mechanism that (1) isn't obviously
better and that (2) we know relies upon algorithms (i.e. SHA)
that NIST is in the process of deprecating (due to concerns
about SHA that are equivalent to the concerns about MD5).

The only reason that I know of to move to SHA is to comply
with some local organisational policy.   That policy-compliance
reasoning is what drove the creation of RFC-4822, pure and
simple.

So it seems non-obvious to me that this WG should make a
recommendation that users migrate to HMAC-SHA mechanisms
in preference to other mechanisms.

Separately, I'm pleased that there is agreement that work on
Key Management for IGPs would be useful.  An "IGP key management
requirements" draft might be a reasonable place for someone to start.

Yours,

Ran
rja@extremenetworks.com

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email