Re: [OPSEC] minutes part 2
"Vishwas Manral" <vishwas.ietf@gmail.com> Mon, 29 December 2008 22:01 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B3DA3A677C; Mon, 29 Dec 2008 14:01:06 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2CE333A677C for <opsec@core3.amsl.com>; Mon, 29 Dec 2008 14:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMFgfMEoHp1H for <opsec@core3.amsl.com>; Mon, 29 Dec 2008 14:01:04 -0800 (PST)
Received: from mail-bw0-f21.google.com (mail-bw0-f21.google.com [209.85.218.21]) by core3.amsl.com (Postfix) with ESMTP id A778D3A6452 for <opsec@ietf.org>; Mon, 29 Dec 2008 14:01:03 -0800 (PST)
Received: by bwz14 with SMTP id 14so16699320bwz.13 for <opsec@ietf.org>; Mon, 29 Dec 2008 14:00:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=WLtMUlQmbxwx/NFF5QvFb7Vv0kv6bSSAuA/jdmKEKOc=; b=D5/TsK+JBgj/Rzbn7zuMngxqBiWPj6X0MsbBRTzsGHTflFabdl8NOrIv4Yhk8sY8bd ybR4Toco9toRphB8fL3mZCUifoaAp+X5sQkQXPPclH5W8oKglhAK72wOUav96/t4DAde H6t4vY034MSkRdckDCW+GqUliXTgLKgumPTWI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=FocKPNdOVB5Ihr+IFlBuMys2hJZpFHhTuIBirmPwts0wCzW479vjyAU3STeoAAEyRs ZJKkGUhh6eNPsk7T/Ko3Qa2uwtsJbT9oSseICml+gZzx//PwIResm2sPFKKjxmyNcOBv 7aePm0Wtvl5WkRhlvuxZhxZxy8mwrdsjXuKL4=
Received: by 10.181.137.13 with SMTP id p13mr5359476bkn.173.1230588051107; Mon, 29 Dec 2008 14:00:51 -0800 (PST)
Received: by 10.180.209.3 with HTTP; Mon, 29 Dec 2008 14:00:50 -0800 (PST)
Message-ID: <77ead0ec0812291400g5819c929y718683de7fa3ed45@mail.gmail.com>
Date: Mon, 29 Dec 2008 14:00:50 -0800
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: R Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <104A40DD-D2FB-48F2-A5D2-28C0E4ADA663@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com> <494D48B6.9090302@bogus.com> <77ead0ec0812222113m28f91093ke6512a5d7a287b0c@mail.gmail.com> <1D5F3F5F-4357-4E25-BEDE-35300949EDB8@gmail.com> <77ead0ec0812231006u55443dacn1731f51a8e922b62@mail.gmail.com> <8CA72870-DEB9-4979-8478-ED5467AF3DD3@gmail.com> <77ead0ec0812231556t73e24f17m9d52862672b22dc5@mail.gmail.com> <4070E95B-4E30-4B1F-90F1-B20F67EDEDFF@gmail.com> <77ead0ec0812291316h75c87da3i190cb23996e09a10@mail.gmail.com> <104A40DD-D2FB-48F2-A5D2-28C0E4ADA663@gmail.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
Hi Ran, I will deal with the two topics in seperate mails. >> That is good. So we agree that NIST atleast encourages the protocol >> designers to use the algorithms. :) > > Well, your words above are not what I said. >From the NIST site and has been shared earlier with you (I am just quoting what NIST states on its web site which has been updated 2 months back): "Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols." Thanks, Vishwas > NIST prefers SHA-2 over other shorter forms of SHA, > probably because NIST (for now) can only recommend SHA > (as it is the only NIST hashing algorithm), NIST have > to recommend *something*, and SHA-2 has the longest > key size. > >> We probably also agree that there >> is cutomer request for the use of the SHA algorithms as has been >> brought out by others too. > > I'm the one who started the whole effort on SHA for IGPs, > just as I'm the one who started the whole effort to add > cryptographic authentication to IGPs last decade. > Having SHA as an option is sensible because it solves > a *policy* problem for some US Government users, including > some parts of DoD. This was all covered in my past IETF > presentations. > >> I have been following the NIST development of the new protocol and it >> is very well known inside the community that any new algorithm to >> replace SHA will be deployable only 10 years or so later. > > I disagree with your 10 year assessment. AES deployed MUCH > MUCH more rapidly, after following a similar process for > public submission, public review, etc. The IPsec magic > number for AES was allocated by IANA shortly after the AES > selection was announced by NIST, and there were interoperable > implementations of AES-CBC for IPsec ESP shortly after that > (even before the I-D appeared, as I recall). > >> Regarding the talk of SHA algorithm having issues are correct however >> after talking to cryptographers who have evaluated the current attacks >> - it seems clear to them that MD5 strength is considerably lesser than >> the SHA algorithm strengths. I will send you the details in another >> mail. I have already shared the same with the WG chair. > > I've consistently asked for a peer reviewed paper. > I like Hugo, but an email containing another person's > opinion is not a peer-reviewed paper. > > Mind, such paper ought to be about the algorithms *in the modes > used for IGPs* since the matter at hand is IGPs. > > If someone has done some formal maths and published it, > in some peer reviewed forum, please provide a citation > (or URL or something) to that paper so everyone can read it. > > Hugo publishes from time to time, if he has published on > this, it would be helpful if he'd provide the full > citation (a URL to the paper would also be nice). > >> It also seems clear from talks with the AD's that MD5 is not >> recommended in any form for any cryptographic use - it is however >> still not the case for SHA algorithm. > > Thanks, but I'll wait for whichever ADs you mean above > to speak directly for themselves. > > (Aside: MD5 was never a NIST algorithm; it isn't a surprise > to me that NIST hasn't recommended a non-NIST algorithm > for any uses.) > > Cheers, > > Ran > rja@extremenetworks.com > > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- [OPSEC] Prospective issue with IPsec ESP-NULL & I… R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] FW: minutes part 2 Smith, Donald
- Re: [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson