Re: [secdir] secdir review of draft-ietf-opsec-igp-crypto-requirements

Samuel Weiler <weiler@watson.org> Sun, 19 September 2010 14:29 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E62FE3A692F; Sun, 19 Sep 2010 07:29:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.957
X-Spam-Level:
X-Spam-Status: No, score=-1.957 tagged_above=-999 required=5 tests=[AWL=0.642, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8fRwXqKvBNy; Sun, 19 Sep 2010 07:29:02 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 0983C3A68BF; Sun, 19 Sep 2010 07:29:01 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id o8JETM6d064115; Sun, 19 Sep 2010 10:29:23 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id o8JETMmh064110; Sun, 19 Sep 2010 10:29:22 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Sun, 19 Sep 2010 10:29:22 -0400 (EDT)
From: Samuel Weiler <weiler@watson.org>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350CF3916707@INBANSXCHMBSA1.in.alcatel-lucent.com>
Message-ID: <alpine.BSF.2.00.1009191023430.57378@fledge.watson.org>
References: <alpine.BSF.2.00.1009151357390.4814@fledge.watson.org> <7C362EEF9C7896468B36C9B79200D8350CF3916707@INBANSXCHMBSA1.in.alcatel-lucent.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Sun, 19 Sep 2010 10:29:23 -0400 (EDT)
Cc: "draft-ietf-opsec-igp-crypto-requirements.all@tools.ietf.org" <draft-ietf-opsec-igp-crypto-requirements.all@tools.ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-opsec-igp-crypto-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2010 14:29:03 -0000

On Thu, 16 Sep 2010, Bhatia, Manav (Manav) wrote:

>> In describing each routing protocol's authentication options, it 
>> would be helpful to say whether there's any in-band negotiation 
>> available.
>
> I am not sure I understand whats being meant by in-band negotiation 
> here?

Many protocols negotiate which crypto algorithm (or even more generic 
security mechanism) to use.  Those negotiations, if done poorly, can 
be subject to downgrade attacks.

Given how common security negotiation is, it's worthwhile to point out 
whether or not each of these protocols do it or whether they depend 
entirely on static configuration of each endpoint.

-- Sam