IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

R Atkinson <ran.atkinson@gmail.com> Wed, 17 December 2008 01:28 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1129E3A6841; Tue, 16 Dec 2008 17:28:25 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD95F3A6841 for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 17:28:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LM3xeqhP6t+8 for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 17:28:24 -0800 (PST)
Received: from mail-qy0-f11.google.com (mail-qy0-f11.google.com [209.85.221.11]) by core3.amsl.com (Postfix) with ESMTP id CA3993A676A for <opsec@ietf.org>; Tue, 16 Dec 2008 17:28:23 -0800 (PST)
Received: by qyk4 with SMTP id 4so3501238qyk.13 for <opsec@ietf.org>; Tue, 16 Dec 2008 17:28:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :content-type:content-transfer-encoding:mime-version:subject:date :x-mailer; bh=HY2qc4FqwiU9OpOfizPo/irb1EIBJMICG/uhiN+/VGo=; b=ME51jjDXEMfQ7uzYNx7E2obgkef+IZ4B6RVopGXR+W0OP21YoimdPk/SoPuCRm5hw3 ywS3ZtkuV87NKAKqNu0KJL4cZiqRgu9oRTFkJh92G5H2QhBh4vpPirsXeIeCU/Zc5uvH TMQ0YGSnc4s6+oKEpUcwjketIesMN2CG1wyo8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:content-type:content-transfer-encoding :mime-version:subject:date:x-mailer; b=rG93A3xaN89KxnMnlcf2tEwJDW8E/Ho/eW/I4Iot109C46kgRzrSD5xWA5BwB9fHQJ c6FGx7YnjpLDAmL/nFuCwCpVxUQKU8g5yR4xKUqs0ImV0PWmJkdWwgTIQcDsd1MEubIu ZUcSeFk+4hXilzBU/j0LgNQe2zOiLYa42zFxI=
Received: by 10.214.113.12 with SMTP id l12mr138726qac.151.1229477293937; Tue, 16 Dec 2008 17:28:13 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 5sm4042696ywd.41.2008.12.16.17.28.12 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 17:28:13 -0800 (PST)
Message-Id: <14198D76-AA32-4E02-9425-0700ED57B07B@gmail.com>
From: R Atkinson <ran.atkinson@gmail.com>
To: opsec@ietf.org
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 20:28:11 -0500
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

Vishwas,

Can we please get answers to these questions -- which in fact
are entirely on topic for the OPsec WG, since they are all
operational security matters ?

(Single quotes are from me; double-quotes are from Vishwas'
earlier emails.)

1:  OSPF with Digital Signatures
> OSPF with Digital Signatures is an existing mechanism (RFC-2154).
> Is it discussed at the same level of detail as other mechanisms ?


2:  Filtering of IGP packets
>> I have mentioned cases where they may not be able to be filtered.
>
> Which specific cases ? Please provide a URL for your note to the OPsec
> list where you detailed those cases. I have looked, and I can't find
> that note in the OPsec list web archives, terribly sorry.

This is an immediate operational security issue, if true.
I'm sure I'm not the only person who'd like to understand
the claim more precisely.


3: User interest in SHA mechanisms for IGP authentication
> Do you know of anyone other than US DoD that wants this ?
> (US DoD are the only ones that I can identify, and they are
> saying their interest is only for "policy reasons".)
>
> If so, which users ? which RFPs ?


4:  Availability of SHA mechanisms for IGP authentication
> Further, there are no known shipping implementations of
> SHA authentication for any IETF-specified IGP.
> (I don't know of any that are even "in progress".)
>> We know of a few including a big router vendor. :))

Which ?  How many ?  When ?
Are they shipping now or in progress now ?



5:  Claims made by existing IGP authentication documents
>> However if you see most drafts "security considerations" section,
>> they state that using cryptographic authentication is a panicia for  
>> all evils.

I can't find even one RFC or I-D that says anything similar
to "using cryptographic authentication is a panacea for all evils".

I checked a bunch of documents, which I enumerated in an earlier
email; none contained any such language.

Which specific document does this ?  and on which page ?


Thanks,

Ran

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email