Re: [OPSEC] additional documents needing a home...
"Vishwas Manral" <vishwas.ietf@gmail.com> Sat, 04 October 2008 04:31 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 671903A67EE; Fri, 3 Oct 2008 21:31:12 -0700 (PDT)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F9E03A67FB for <opsec@core3.amsl.com>; Fri, 3 Oct 2008 21:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.493
X-Spam-Level:
X-Spam-Status: No, score=-2.493 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8BBM2SCMU1QC for <opsec@core3.amsl.com>; Fri, 3 Oct 2008 21:31:10 -0700 (PDT)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by core3.amsl.com (Postfix) with ESMTP id AF2C33A67EE for <opsec@ietf.org>; Fri, 3 Oct 2008 21:31:09 -0700 (PDT)
Received: by fg-out-1718.google.com with SMTP id d23so1262586fga.41 for <opsec@ietf.org>; Fri, 03 Oct 2008 21:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=hi989bCPwSt0MktskZqqlfetBK4vOhqC3lwqVIyrBH0=; b=twie3BaYCfbaE+A/G/21QtZVeVhqrGF+NpRe5tgt//5smn9fjHcDu8Zf0yyMD5lhJd 0EmfHeiLJMk9t/n/hVFvQVoVxOjZyK4LD5ZD11GiLsL7Qoby0o3hn4iMe0lX3uJ1Lng7 SFeojsT/uOv8gyO2KEs5FRIqeQxHEAJGi17VE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=K/StV6AH7BfQI9Q571nqxsdjlK6w6GxDDwkTYXKPit9lUkEyQj2Ausd5cZI/hmqoXa lvTO8rWK6RV5v0FMLgmLyX7K2cLTjgyEFZjSnwW+M0onkgYUzwZ72+qel5ekJ9XhHhU1 9xDiBifRDVMuc0kmhBxRVGZVIq/yvGt8usPWU=
Received: by 10.181.30.10 with SMTP id h10mr1498395bkj.41.1223094697754; Fri, 03 Oct 2008 21:31:37 -0700 (PDT)
Received: by 10.180.226.2 with HTTP; Fri, 3 Oct 2008 21:31:37 -0700 (PDT)
Message-ID: <77ead0ec0810032131n6551ddcagfa026bdc1ae6bf93@mail.gmail.com>
Date: Sat, 04 Oct 2008 10:01:37 +0530
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <48E6D46B.7020401@bogus.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <92c950310808250646t50c00ce0w8a778dc19c08188b@mail.gmail.com> <77ead0ec0809302014p336614afp433ea8de040713c5@mail.gmail.com> <6D26D1FE43A66F439F8109CDD424196501ED2F61@INEXC1U01.in.lucent.com> <48E6D46B.7020401@bogus.com>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] additional documents needing a home...
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
Hi Joel, I agree with you on this!!! Thanks, Vishwas On 10/4/08, Joel Jaeggli <joelja@bogus.com> wrote: > Bhatia, Manav (Manav) wrote: >> >> I support draft-manral-rpsec-existing-crypto-05 and I think OPSEC is the >> right home for this draft. > > > Regarding: > > http://tools.ietf.org/html/draft-bhatia-manral-igp-crypto-requirements-00 > > I have concerns about this document making protocol requirements within > the scope of our charter. Making this a set of protocol best practices I > think hews more closely to our charter (and doesn't belong in routing). > > any thoughts on that? > > problems with manual keying seems straight up our alley. > > http://tools.ietf.org/html/draft-manral-rpsec-existing-crypto-05 > > and i have no reservations for taking that one to our ADs. > > joelja > >> Cheers, >> Manav >> >>> -----Original Message----- >>> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] >>> On Behalf Of Vishwas Manral >>> Sent: Wednesday, October 01, 2008 8.44 AM >>> To: Glen Kent >>> Cc: opsec@ietf.org >>> Subject: Re: [OPSEC] additional documents needing a home... >>> >>> Hi Joel, >>> >>> I wanted to know your opinion of the consensus, and it was for >>> allowing the work in the OPSEC WG? >>> >>> Thanks, >>> Vishwas >>> >>> On 8/25/08, Glen Kent <glen.kent@gmail.com> wrote: >>>> I strongly believe that drafts draft-ietf-rpsec-bgp-session-sec-req >>>> and draft-manral-rpsec-existing-crypto-05 very much belong here in >>>> OPSEC. >>>> >>>> Glen >>>> >>>> ---------- Forwarded message ---------- >>>> From: Joel Jaeggli <joelja@bogus.com> >>>> Date: Thu, Aug 21, 2008 at 6:43 AM >>>> Subject: [OPSEC] additional documents needing a home... >>>> To: opsec wg mailing list <opsec@ietf.org> >>>> >>>> >>>> Folks, >>>> >>>> Dave Ward has proposed adding: >>>> >>>> Michael Behringer's rpsec draft >>>> >>>> http://tools.ietf.org/html/draft-ietf-rpsec-bgp-session-sec-req-01 >>>> >>>> Abstract >>>> >>>> The document "BGP security requirements" >>> (draft-ietf-rpsec-bgpsecrec) >>>> specifies general security requirements for BGP. >>> However, specific >>>> security requirements for single BGP sessions, i.e., the >>> connection >>>> between two BGP peers, are only touched on briefly in the section >>>> "transport layer protection". This document expands on this >>>> particular aspect of BGP security, defining the security >>> requirements >>>> between two BGP peers. >>>> >>>> which as was presented in opsec in ireland >>>> >>>> and >>>> >>>> >>>> http://tools.ietf.org/html/draft-manral-rpsec-existing-crypto-05 >>>> >>>> Abstract >>>> >>>> Routing protocols are designed to use cryptographic mechanisms to >>>> authenticate data being received from a neighboring >>> router to ensure >>>> that it has not been modified in transit, and actually originated >>>> from the neighboring router purporting to have >>> originating the data. >>>> Most of the cryptographic mechanisms defined to date rely on hash >>>> algorithms applied to the data in the routing protocol >>> packet, which >>>> means the data is transported, in the clear, along with a >>> signature >>>> based on the data itself. These mechanisms rely on the manual >>>> configuration of the keys used to seed, or build, these hash based >>>> signatures. This document outlines some of the problems >>> with manual >>>> keying of these cryptographic algorithms. >>>> >>>> >>>> >>> http://tools.ietf.org/html/draft-bhatia-manral-igp-crypto-requ >>> irements-00 >>>> Abstract >>>> >>>> The interior gateway routing protocols OSPFv2 [RFC2328], >>> IS-IS [ISO] >>>> [RFC1195] and RIP [RFC2453] currently define clear text and MD5 >>>> [RFC1321] algorithms for authenticating their protocol >>> packets. There >>>> have recently been documents adding support of the SHA >>> family of hash >>>> algorithms for authenticating routing protocol packets >>> for RIP, IS-IS >>>> and OSPF. >>>> >>>> To ensure interoperability between disparate >>> implementations, it is >>>> imperative that we specify a set of >>> mandatory-to-implement algorithms >>>> thereby ensuring that there is at least one algorithm that all >>>> implementations will have available. >>>> >>>> >>>> >>>> which were not... >>>> >>>> As these document existing practice or problems with >>> existing protocols >>>> I think it is conceivable that this work would fall within >>> our proposed >>>> and soon to be official charter. >>>> >>>> I would like to hear some opinions on the subject. there was some >>>> discussion of the first document during the opsec wg meeting and I >>>> believe that the record shows some support for and against >>> housing it in >>>> opsec. >>>> >>>> thanks >>>> joelja >>>> _______________________________________________ >>>> OPSEC mailing list >>>> OPSEC@ietf.org >>>> https://www.ietf.org/mailman/listinfo/opsec >>>> >>> _______________________________________________ >>> OPSEC mailing list >>> OPSEC@ietf.org >>> https://www.ietf.org/mailman/listinfo/opsec >>> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec >> > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] additional documents needing a home... Joel Jaeggli
- Re: [OPSEC] additional documents needing a home... Glen Kent
- Re: [OPSEC] additional documents needing a home... Vishwas Manral
- Re: [OPSEC] additional documents needing a home... Bhatia, Manav (Manav)
- Re: [OPSEC] additional documents needing a home... Bhatia, Manav (Manav)
- Re: [OPSEC] additional documents needing a home... Joel Jaeggli
- Re: [OPSEC] additional documents needing a home... Vishwas Manral
- Re: [OPSEC] additional documents needing a home... Steinthor Bjarnason (sbjarnas)
- [OPSEC] draft-bhatia-manral-igp-crypto-requiremen… Bhatia, Manav (Manav)