[saag] Fate of BFD extended authentication mechanisms
Jeffrey Haas <jhaas@pfrc.org> Tue, 24 May 2016 19:18 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 636AF12D9DE for <saag@ietfa.amsl.com>; Tue, 24 May 2016 12:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.328
X-Spam-Level:
X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CHYXJP7PvWAS for <saag@ietfa.amsl.com>; Tue, 24 May 2016 12:18:49 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id F010D12D9EF for <saag@ietf.org>; Tue, 24 May 2016 12:18:37 -0700 (PDT)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 3D9681E335; Tue, 24 May 2016 15:24:00 -0400 (EDT)
Date: Tue, 24 May 2016 15:24:00 -0400
From: Jeffrey Haas <jhaas@pfrc.org>
To: saag@ietf.org
Message-ID: <20160524192400.GA9721@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/y5CUiX1GyibSiqp5IR67-3OaB1I>
Subject: [saag] Fate of BFD extended authentication mechanisms
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 19:18:58 -0000
Security-folk, Partially as a response to work concluded in the KARP Working Group, there was previously some effort to enhance the cryptographic authentication mechanisms present in BFD. The core BFD protocol is described in RFC 5880, including its authentication mechanisms. The two main documents covering this work are below: https://tools.ietf.org/html/draft-ietf-bfd-generic-crypto-auth-06 https://tools.ietf.org/html/draft-ietf-bfd-hmac-sha-05 To somewhat tritely summarize the work in these two documents, the generic doc provides for: - Increase the number space of authentication sequence number to 64 bits from 32. - Provide a larger numbering space for key identifiers, from 8 bits to 16 bits. - Re-using this structure for all future types rather than making it a property of the individual authentication section for a given mechanism. The hmac-sha doc describe SHA-2 variants of ciphers. In general, these are understood to be the Right Things to do for BFD. However, lack of interest in the industry from either vendors or customers, and lack of drive from within the working group have contributed to these documents going stale. There is also the secondary issue that as a result of the speed at which BFD operates and the fact it is often operating under extremely constrained compute resources, even existing ciphers are not well deployed in spite of the known weaknesses in the strength of those ciphers. There is a separate effort beginning in BFD that may mitigate these issues, but I have requested the authors of that draft to contact the security area separately to discuss their proposal: https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authentication/ Now to my question: It's generally understood that implementations of security mechanisms often lag their specifications. It's also generally understood that you want those specifications to exist because when you need them, it's possibly already too late. Given this, I'm looking at options to help drive the BFD generic crypto and hmac-sha document to publication. As mentioned, the interest in the BFD WG is low. My question is what is the perceived status of security related documents that are on the Experimental track? For these documents to progress on the standards track, they'd have to have some likelihood of being deployed. That point is, as above, unclear. -- Jeff
- Re: [saag] Fate of BFD extended authentication me… Alan DeKok
- Re: [saag] Fate of BFD extended authentication me… Jeffrey Haas
- Re: [saag] Fate of BFD extended authentication me… Watson Ladd
- Re: [saag] Fate of BFD extended authentication me… Alan DeKok
- Re: [saag] Fate of BFD extended authentication me… Stephen Farrell
- [saag] Fate of BFD extended authentication mechan… Jeffrey Haas
- Re: [saag] Fate of BFD extended authentication me… Peter Gutmann
- Re: [saag] Fate of BFD extended authentication me… Mark D. Baushke
- Re: [saag] Fate of BFD extended authentication me… Jeffrey Haas
- Re: [saag] Fate of BFD extended authentication me… Sam Hartman
- Re: [saag] Fate of BFD extended authentication me… Jeffrey Haas