Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-ao-crypto-02

Magnus Nyström <> Tue, 09 March 2010 06:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3F7A3A6832; Mon, 8 Mar 2010 22:35:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pljhGYydmQ3K; Mon, 8 Mar 2010 22:35:03 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 5B9D63A681F; Mon, 8 Mar 2010 22:35:02 -0800 (PST)
Received: by gwj18 with SMTP id 18so76gwj.31 for <multiple recipients>; Mon, 08 Mar 2010 22:35:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=we0p0msTowaFVWK/XbwBdJsoRIrJy4vVHT4mUTIhpHQ=; b=mJWChYKJvnKWO5BQ4yabJBYTJ2pfHb/W11Xh0CEFtG+Be+mRyFSERh0sbH1BzwkKvf lioM6fr6NKHOKc8zQxN0uudcIZsAUNgpwaWaPUc8bmOG526wbPuF+rY4WaTDmqIA1R4E L65MGYIKtq9HKyVfSg0TAlL99I2Z3QmpGewZE=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=lEEr+G/r8yZA0UoSy5z5b//f8swh9JeIviWPWfQrb8nNpntti4WMP8T0mOE6UGQWgw YFNBRABL0ZdKVpfu200D0EvBS2PzmA8FsOHh6bJLCcrybpEhl3+RRaGDPiByvo88TS0n pkV/XlI4DREOmWCtRk81zGE7tjXL4VRfM6les=
MIME-Version: 1.0
Received: by with SMTP id r2mr352457anj.67.1268116503334; Mon, 08 Mar 2010 22:35:03 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Mon, 8 Mar 2010 22:35:03 -0800
Message-ID: <>
From: =?ISO-8859-1?Q?Magnus_Nystr=F6m?= <>
To: Gregory Lebovitz <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc:, Eric Rescorla <>,, Tim Polk <>,,
Subject: Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-ao-crypto-02
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Mar 2010 06:35:05 -0000

Thanks Gregory - a couple of comments below, inline.

On Mon, Mar 8, 2010 at 9:52 PM, Gregory Lebovitz <> wrote:
> Hey Magnus,
> Thanks a lot for the review. Comments inline below...
> On Fri, Mar 5, 2010 at 9:42 PM, Magnus Nyström <> wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments
>> This document specifies requirements on cryptographic algorithms to be
>> used in the TCP Authentication Option (TCP APO). It also specifies
>> some mandatory algorithms.
>> Comments:
>> Abstract:
>> - The abstract does not mention that the document also specifies
>> requirements on future algorithms. IMO, it should.
> Ok
>> Section 1:
>> (- Last paragraph is what prompted my comment on the abstract.)
>> Section 2.2:
>> - Suggest moving the note explaining the need to mandate two MAC
>> algorithms to the Security Considerations section as it does not
>> contain normative text but does contain security considerations.
> Good point. When I originally wrote this text it did contain normative text.
> Then I got some feedback that maybe we should down-grade the text to be
> non-normative, but still clear guidance. If you think it makes a big
> difference, I can move it. Otherwise, I'd like to keep it with the text
> describing the "template" for how all TCP-AO algos are used, so that people
> who are looking for the template will see the text right there, whereas they
> might miss it if they are skimming and don't make it all the way to the SC
> section. Let me know what you think.

You could also place the note in the Security Considerations section
and then just reference it in 2.2, like "For an explanation of the
need for two MAC algorithms, see the Security Considerations section."
I think that would be better, keeping all security considerations in
one place.

>> - Section
>> - It is a little surprising to see that the SHA-1-based MAC algorithm
>> is selected as the default one, given that this is a new specification
>> and the industry is moving away from SHA-1. C.f. the work on XML
>> Encryption 1.1 and XML Signature 1.1 that specificallly recommends
>> against use of SHA-1 in new applications.
> In TCP-AO SHA-1 is used as an HMAC, not a signing algo, so it does not have
> the same properties in this context, and has shown no weaknesses, afaik. As
> you can imagine we had a very long debate around which algo to make
> mandatory. In the end (as the text was supposed to explain), Pasi and Tim
> chose SHA-1 for both its strength and its wide availability in the target
> devices (routers -- this is first and foremost being done for BGP
> protection). But, since it's been around a while, and we always want to have
> 2 good algos in place, one the older more available, and a newer
> up-and-comer, the AES was also specified. Unless Pasi and Tim want to change
> their recommendations to the TCPM WG, we'll probably sit tight with this the
> way it reads currently.

Yes, I can (and did...) imagine you had lengthy discussions around
this... OK, since Pasi and Tim chose it I will rest my case...

-- Magnus

>> - Section 6 (Security Considerations):
>> In the fourth paragraph, there is a discussion around the fact that
>> the document does not force use of a 16 octet key. I think it would be
>> useful to at least clearly state a recommended minimum key size.
> Interesting point. We had this debate in WG too.
> My .02:  this is a security vs convenience thing. We give the deployer
> plenty enough guidance and pointers to other RFC's and NIST docs to allow
> them to do their homework to decide what length key they want, stopping just
> short of telling them a recommended min key size. The deployers here are
> router operators, for the most part. The ones that have a clue are already
> using 128bit keys, generated randomly. The ones that aren't probably aren't
> going to read this document anyway.
> Any thoughts from Tim or EKR?