IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05

Manav Bhatia <manavbhatia@gmail.com> Wed, 28 May 2014 07:07 UTC

Return-Path: <manavbhatia@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5D21A0816; Wed, 28 May 2014 00:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeueRa7Su74d; Wed, 28 May 2014 00:06:54 -0700 (PDT)
Received: from mail-oa0-x22a.google.com (mail-oa0-x22a.google.com [IPv6:2607:f8b0:4003:c02::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F12081A0384; Wed, 28 May 2014 00:06:53 -0700 (PDT)
Received: by mail-oa0-f42.google.com with SMTP id j17so10663254oag.15 for <multiple recipients>; Wed, 28 May 2014 00:06:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ybqDp56YYkD9MjD9CNtoG5a5dVCWNldrbQway4HY78w=; b=sEfvbojWKiufh0yXWIzzlIQvr7LBV8soIXcqUnfRODd64rswXAk4SzVrk3P9x6+Psy pjRw2pqR3CNkWK/+EryRtlM714T5ELE7YVQL1G2jXf2VZ2uiglzFJeHbjL9wOKCpTeqi xV8ZVRMgL5unTP9VfjKsIu6aZ2syVA4HA+wSyQbeaOM9tbUTXC/Y9y8ZpjNuOjzWeivO JjddfAiGuPQb7ggIZEvvpgVEc2XRaP7cSMNIRM/CL9Odzsm9R0R1rJnKBDdbA1JG8nuW MmbMDfYcktsFtHJblG8VF4foYayrPGu+wMPUa9e0tFUgintgNRK+vRIQXJ6HbCoW+N5t U45g==
MIME-Version: 1.0
X-Received: by 10.60.45.4 with SMTP id i4mr39049204oem.49.1401260810295; Wed, 28 May 2014 00:06:50 -0700 (PDT)
Received: by 10.76.77.97 with HTTP; Wed, 28 May 2014 00:06:50 -0700 (PDT)
In-Reply-To: <53858ACE.8030909@pi.nu>
References: <53761B24.1060501@gmail.com> <20211F91F544D247976D84C5D778A4C32E60982F@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537A694C.60101@gmail.com> <537BC7B6.5040406@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B609@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C5BCE.4010801@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B6A8@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C7EDB.9050000@cs.tcd.ie> <CAG1kdogiEJp=jy5D+tvXnAZ2XD0Xe1=kB-do_=h4PU1V9j7KKQ@mail.gmail.com> <537C86D6.1030703@pi.nu> <20211F91F544D247976D84C5D778A4C32E60BA5C@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537CA2D2.4070103@cs.tcd.ie> <54E263B5-41C7-4523-9941-B3E39AE077CD@mit.edu> <57ee448f94f94cd7ba040903e604aa3c@SG70XWXCHHUB01.zap.alcatel-lucent.com> <CAG1kdoj=VpE_EJc1zB=50eTsr=44Jr4yUc3BZVH2QpLJMR6mHQ@mail.gmail.com> <2EEA459CD95CCB4988BFAFC0F2287B5C5C8302E4@SZXEMA504-MBS.china.huawei.com> <53858ACE.8030909@pi.nu>
Date: Wed, 28 May 2014 12:36:50 +0530
Message-ID: <CAG1kdoidVWx2i_TEsBtvDCVPq99_ZpnNkY59GPi-=RHfzrO0wQ@mail.gmail.com>
From: Manav Bhatia <manavbhatia@gmail.com>
To: Loa Andersson <loa@pi.nu>
Content-Type: multipart/alternative; boundary="089e0149cb9cd6295e04fa707425"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/KOJrIGc2FEpgkGX17kaQ_geqZUk
Cc: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, IETF Security Directorate <secdir@ietf.org>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>, The IESG <iesg@ietf.org>, Vero Zheng <vero.zheng@huawei.com>
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 07:07:03 -0000

Yup, thats correct!


On Wed, May 28, 2014 at 12:35 PM, Loa Andersson <loa@pi.nu> wrote:

> All,
>
> Do I understand correctly if we are now OK to go ahead and have
> this draft approved?
>
> /Loa
>
>
> On 2014-05-26 03:30, Vero Zheng wrote:
>
>> Thanks Yaron and Manav for working this out.
>>
>> I have just confirmed the post.
>>
>> Cheers, Vero
>>
>> *From:*Manav Bhatia [mailto:manavbhatia@gmail.com]
>> *Sent:* Sunday, May 25, 2014 1:50 PM
>> *To:* Yaron Sheffer
>> *Cc:* Uri Blumenthal; Stephen Farrell; Bhatia, Manav (Manav); IETF
>>
>> Security Directorate;
>> draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org; The IESG; Loa
>> Andersson
>> *Subject:* Re: [secdir] SecDir review of
>>
>> draft-ietf-mpls-ldp-hello-crypto-auth-05
>>
>> Hi,
>>
>> Yaron, I and few of us exchanged quite a few emails offline and we have
>> come up with a version that addresses Yaron's and Stephen's concerns
>> about repeating the HMAC stuff thats already present in RFC 2104. We've
>> cleaned it up pretty nicely with very minimal changes.
>>
>> I am unable to submit this latest and the greatest version since i have
>> updated my email ID in this version. The tracker requires one of the
>> co-authors to authenticate/approve the submission.
>>
>> I am attaching the latest version with this email in case folks want to
>> go through this till it becomes available formally.
>>
>> The draft is all set to fly now! :-)
>>
>> Cheers, Manav
>>
>> On Wed, May 21, 2014 at 7:54 PM, Yaron Sheffer <yaronf.ietf@gmail.com
>> <mailto:yaronf.ietf@gmail.com>> wrote:
>>
>> IMHO, this is purely a naming problem. Apad does NOT modify the base
>> HMAC, please see
>> http://tools.ietf.org/html/draft-ietf-mpls-ldp-hello-
>> crypto-auth-05#section-5.
>> It is just one more thing that's signed by HMAC.
>>
>> My problem with this draft is that they have different ideas about the
>> key length, compared to RFC 2104 (top of Sec. 5.1). Also, I am unhappy
>> that they spell out the HMAC construction instead of leaving it as a
>> black box.
>>
>> But I think Apad is just fine, if it weren't for the unfortunate name
>> that leads people to think it's modifying HMAC.
>>
>> Thanks,
>>          Yaron
>>
>>
>> On 05/21/2014 04:28 PM, Uri Blumenthal wrote:
>>
>>  Once again, please.
>>>
>>> 1. Who specifically, at NIST and at IESG, says that HMAC needs Apad for
>>> security reasons (and therefore is not secure as-is)?
>>>
>>> 2. What are those security reasons, and what are the attacks that are
>>> foiled by Apad?
>>>
>>> 3. What published papers/references/whatever is this documented? As HMAC
>>> came with security proofs, I’d like to see where and how they are
>>> invalidated (if they indeed are).
>>>
>>>
>>>
>>> On May 21, 2014, at 8:57 , Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:
>>> stephen.farrell@cs.tcd.ie>> wrote:
>>>
>>>
>>>>
>>>> On 21/05/14 12:14, Bhatia, Manav (Manav) wrote:
>>>>
>>>>> I agree with Loa.
>>>>>
>>>>> Our current draft is very simple and has gone through multiple
>>>>> iterations of reviews in at least two WGs. It brings LDP to the same
>>>>> level of security as other protocols running in the networks.
>>>>>
>>>>
>>>> Fully agree with that goal.
>>>>
>>>>
>>>>> I think we should just push it forward and if there is an interest in
>>>>> writing a new ID that updates HMAC specification, then we write one
>>>>> that includes the Apad stuff. I think the latter should anyways be
>>>>> done, regardless of what happens to this particular draft.
>>>>>
>>>>
>>>> I need to read it. But I'd be happier if that HMAC draft existed
>>>> and was going to be processed - then we wouldn't have to do this
>>>> discussion again.
>>>>
>>>> Cheers,
>>>> S.
>>>>
>>>>
>>>>> The IETF submission site is down and hence couldn’t upload the
>>>>> revised ID (addressing Yaron's comments). Will do it tomorrow once
>>>>> its up.
>>>>>
>>>>> After that its ready to be placed before the IESG.
>>>>>
>>>>> Cheers, Manav
>>>>>
>>>>>  -----Original Message----- From: Loa Andersson [mailto:loa@pi.nu<mailto:
>>>>>> loa@pi.nu>]
>>>>>>
>>>>>> Sent: Wednesday, May 21, 2014 4:29 PM To: Manav Bhatia; Stephen
>>>>>> Farrell Cc: Bhatia, Manav (Manav); IETF Security Directorate; The
>>>>>> IESG; draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
>>>>>>
>>>>> <mailto:ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>;
>>
>>> Yaron Sheffer Subject: Re: SecDir review of
>>>>>> draft-ietf-mpls-ldp-hello-crypto-auth-05
>>>>>>
>>>>>> Folks,
>>>>>>
>>>>>> I'm only the document shepherd. My feeling is that we are raising
>>>>>> the hurdle step by step for the KARP - initiated RFCs, the first
>>>>>> was comparatively smooth, now we are trying to put an 18 months
>>>>>> effort (individual draft to RFC) in front of approving something
>>>>>> that is comparatively simple and seen as raising LDP to the same
>>>>>> security as the other routing protocols.
>>>>>>
>>>>>> So if we get to tired to push this, we are all better off not
>>>>>> doing the security work for this particular protocol?
>>>>>>
>>>>>> Someone said - "Never let the best be the enemy of the possible"!
>>>>>>
>>>>>> /Loa
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2014-05-21 12:39, Manav Bhatia wrote:
>>>>>>
>>>>>>> Stephen,
>>>>>>>
>>>>>>>  This however is a long drawn discussion because everyone
>>>>>>>>> needs to
>>>>>>>>>
>>>>>>>> be
>>>>>>
>>>>>>> convinced on the merits of updating the HMAC specification --
>>>>>>>>> which
>>>>>>>>>
>>>>>>>> I
>>>>>>
>>>>>>> am not sure will take how long.
>>>>>>>>>
>>>>>>>>
>>>>>>>> So I need to look at this draft, HMAC and the other cases but
>>>>>>>> it seems to me that you're copying a page or two of crypto spec
>>>>>>>> each time and changing one line. Doing that over and over is a
>>>>>>>> recipe for long term pain, isn't it?
>>>>>>>>
>>>>>>>
>>>>>>> It sure is.
>>>>>>>
>>>>>>> I had volunteered to write a 1-2 page long ID that updated the
>>>>>>> HMAC
>>>>>>>
>>>>>> to
>>>>>>
>>>>>>> include the Apad, but the idea was shot down. The only
>>>>>>> alternative left was to include the crypto stuff in each standard
>>>>>>> that we wrote later.
>>>>>>>
>>>>>>>
>>>>>>>> (And we've had this discussion for each such draft while I've
>>>>>>>> been on the IESG I think, which is also somewhat drawn out;-)
>>>>>>>>
>>>>>>>
>>>>>>> This draft is probably the last one thats coming from the Routing
>>>>>>> WG which will have this level of crypto mathematics spelled out.
>>>>>>> All other IGPs are already covered. In case we need to change
>>>>>>> something
>>>>>>>
>>>>>> in
>>>>>>
>>>>>>> the ones already covered we can refer to the base RFC where we
>>>>>>> have detailed the crypto maths. For example,
>>>>>>> draft-ietf-ospf-security-extension-manual-keying-08 amongst
>>>>>>> other things also updates the definition of Apad. It points to
>>>>>>> the exact mathematics in RFC 5709 and only updates the Apad
>>>>>>> definition in that draft. This draft btw has cleared the WG LC
>>>>>>> and would be appearing before you guys very soon.
>>>>>>>
>>>>>>> Given this, i think we should just pass this draft with this
>>>>>>> level of details. Subsequently, when LDP wants to update
>>>>>>> something, it can normatively refer to this RFC and only give the
>>>>>>> changes.
>>>>>>>
>>>>>>> Cheers, Manav
>>>>>>>
>>>>>>>
>>>>>>>> S.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Cheers, Manav
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> S
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Cheers, Manav
>>>>>>>>>>>
>>>>>>>>>>>  -----Original Message----- From: Stephen Farrell
>>>>>>>>>>>> [mailto:stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.
>>>>>>>>>>>> tcd.ie>] Sent:
>>>>>>>>>>>>
>>>>>>>>>>> Wednesday, May
>>
>>> 21, 2014 2:53 AM To: Bhatia, Manav (Manav); IETF
>>>>>>>>>>>> Security Directorate; The IESG; draft-
>>>>>>>>>>>> ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
>>>>>>>>>>>>
>>>>>>>>>>> <mailto:ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org> Cc:
>>
>>> Yaron Sheffer;manavbhatia@gmail.com <mailto:manavbhatia@gmail.com>
>>>>>>>>>>>> Subject: Re:
>>>>>>>>>>>>
>>>>>>>>>>>> SecDir review of
>>>>>>>>>>>> draft-ietf-mpls-ldp-hello-crypto-auth-05
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 19/05/14 21:27, Yaron Sheffer wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>> * 5.1: Redefining HMAC (RFC 2104) is an extremely
>>>>>>>>>>>>>>> bad idea. This reviewer does not have the
>>>>>>>>>>>>>>> appropriate background to critique the proposed
>>>>>>>>>>>>>>> solution, but there must be an overwhelming
>>>>>>>>>>>>>>> reason to
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> reopen> >>>>> cryptographic primitives.
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is a decision that was taken by Sec Ads when
>>>>>>>>>>>>>> we were doing the crypto protection for the IGPs
>>>>>>>>>>>>>> based on some feedback from NIST.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> This
>>>>>>>>>>>>
>>>>>>>>>>>>> mathematics is not new and has been done for all
>>>>>>>>>>>>>> IGPs and has been approved and rather encouraged by
>>>>>>>>>>>>>> the Security ADs.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> The above does not sound like something I recognise. I
>>>>>>>>>>>> have repeatedly asked that documents not re-define
>>>>>>>>>>>> HMAC. Perhaps this time, I'll make that a DISCUSS and
>>>>>>>>>>>> not budge. I probably should have done that before
>>>>>>>>>>>> TBH.
>>>>>>>>>>>>
>>>>>>>>>>>> If you are revising that doc, *please* get rid of the
>>>>>>>>>>>> re-definition and just properly refer to HMAC. Its
>>>>>>>>>>>> about time to stop repeating that error.
>>>>>>>>>>>>
>>>>>>>>>>>> S.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>> --
>>>>>>
>>>>>>
>>>>>> Loa Andersson                        email:loa@mail01.huawei.com<mailto:
>>>>>> loa@mail01.huawei.com>
>>>>>> Senior MPLS Expertloa@pi.nu <mailto:loa@pi.nu> Huawei
>>>>>> Technologies (consultant)     phone:+46 739 81 21 64<tel:%2B46%20739%2081%2021%
>>>>>> 2064>
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> secdir mailing list
>>>> secdir@ietf.org <mailto:secdir@ietf.org>
>>>>
>>>> https://www.ietf.org/mailman/listinfo/secdir
>>>> wiki:http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>>>
>>>
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org <mailto:secdir@ietf.org>
>>>
>>> https://www.ietf.org/mailman/listinfo/secdir
>>> wiki:http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>>
>>>
>>
> --
>
>
> Loa Andersson                        email: loa@mail01.huawei.com
> Senior MPLS Expert                          loa@pi.nu
> Huawei Technologies (consultant)     phone: +46 739 81 21 64
>

v2.23.0 | Report a Bug | By Email