Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05

["Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>]

Hi Stephen,

The crypto mathematics in our draft (and RFC 5310, 5709, 6506, .. and quite a few other RFCs/drafts) is slightly different from the basic HMAC. In all these RFCs we've introduced an additional pad (unimaginatively called the "Apad") that's used in the hash computation. We were asked to include the Apad when we were originally writing the IS-IS and OSPFv2 security (RFC 5310 and 5709) RFCs. Ran Atkinson along with Mathhew Fanto (from NIST) had earlier written the RIPv2 RFC which had first employed the Apad. I was unequivocally told (by the Security ADs as well) that the Apad had to be included since that's what NIST wanted. I am sure Ran Atkinson can explain you more clearly about what the actual deal was. However, ever since then, we've been including the Apad in all our standards (at least the ones coming out of the Routing Area WG).

This has now been extensively implemented and there are libraries available that account for the Apad when computing the hash for the routing protocols.

The Apad is now employed for RIP, OSPF, OSPFv3. I see no reason why LDP should be an exception. The same has been proposed for BFD btw.

Cheers, Manav

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> Sent: Wednesday, May 21, 2014 2:53 AM
> To: Bhatia, Manav (Manav); IETF Security Directorate; The IESG; draft-
> ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
> Cc: Yaron Sheffer; manavbhatia@gmail.com
> Subject: Re: SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
> 
> 
> 
> On 19/05/14 21:27, Yaron Sheffer wrote:
> >>>
> >>> * 5.1: Redefining HMAC (RFC 2104) is an extremely bad idea. This
> >>> reviewer does not have the appropriate background to critique the
> >>> proposed solution, but there must be an overwhelming reason to
> reopen
> >>> cryptographic primitives.
> >>
> >> This is a decision that was taken by Sec Ads when we were doing the
> >> crypto protection for the IGPs based on some feedback from NIST.
> This
> >> mathematics is not new and has been done for all IGPs and has been
> >> approved and rather encouraged by the Security ADs.
> 
> The above does not sound like something I recognise. I
> have repeatedly asked that documents not re-define HMAC.
> Perhaps this time, I'll make that a DISCUSS and not budge.
> I probably should have done that before TBH.
> 
> If you are revising that doc, *please* get rid of the
> re-definition and just properly refer to HMAC. Its about
> time to stop repeating that error.
> 
> S.