Re: [secdir] secdir review of draft-ietf-mpls-gach-adv-06

Leif Johansson <> Mon, 18 February 2013 15:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A0C0E21F87AD; Mon, 18 Feb 2013 07:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_12=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yxQqaRTaGaDy; Mon, 18 Feb 2013 07:07:33 -0800 (PST)
Received: from ( [IPv6:2001:948:4:1::66]) by (Postfix) with ESMTP id 9575B21F875C; Mon, 18 Feb 2013 07:07:32 -0800 (PST)
Received: from [] ([]) (authenticated bits=0) by (8.14.5/8.14.3) with ESMTP id r1IF7NKL024283 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Feb 2013 16:07:26 +0100 (CET)
Message-ID: <>
Date: Mon, 18 Feb 2013 16:07:23 +0100
From: Leif Johansson <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Dan Frost <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc:, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-mpls-gach-adv-06
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Feb 2013 15:07:34 -0000

On 02/18/2013 03:31 PM, Dan Frost wrote:
> Hi Leif,
> On Mon, Feb 18, 2013 at 02:08:15PM +0100, Leif Johansson wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>> area directors.  Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>> The technology is somewhat outside my area of expertise but I found
>> the document relatively easy to follow anyway.
> Thanks for your review.
>> I'm a fan of writing crypto-related algorithms with very little left 
>> for the imagination of the reader. To that end I would strongly suggest 
>> specifying what goes into the GAP message hash even more clearly. 
>> In this case I suspect the intent is that the inner hash is over all 
>> bytes of GAP message except the GAP authentication TLV which is added 
>> to the message _after_ the hash is computed.
> No need to suspect; the current text is explicit.  ;)  It says:
>    2.  First Hash
>           First, the Authentication Data field is filled with the value
>           Apad.
>           Then, a first hash, also known as the inner hash, is computed
>           as follows:
>              First-Hash = H(Ko XOR Ipad || (GAP Message))
>           Here the GAP Message is the portion of the packet that follows
>           the Associated Channel Header.
> The last paragraph specifies that the hash is computed over all bytes of
> the GAP Message that follow the Associated Channel Header.  This
> includes the Authentication TLV, which is not a problem because "First,
> the Authentication Data field is filled with the value Apad."
if you would just add that last sentence it would have been that
much clearer to me at least.
>> Conversely the validation phase needs to clearly say what bits of the
>> message are to be included in computing the hash.
> The text states that "When the message is received, the receiver
> computes a hash for it as described below", where "below" is Section 6.3
> (we should probably s/below/Section 6.3/ here).  In other words, the
> transmitter and receiver perform the same computation with the same
> input (modulo the Authentication Data field, which is normalised by the
> computation itself).
So in the verification phase you first fill the Authentication Data
field with Apad? That wasn't clear to me from reading the text.
>> Also I would change the timestamp verification step to use normative
>> language, eg: "... the receiver MUST, upon successfully authenticating
>> a message verify that the timestamp field corresponds... The receiver 
>> MUST silently discard a GAP message that fails timestamp verification."
> Well, use of the replay mitigation mechanism is not required, so I'm not
> sure that adding "MUST" language is appropriate.
I guess I'm then questioning the judgement of not making replay
checking a requirement since it seems fairly simple to do.
> Cheers,
> -d