Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 21 May 2014 10:24 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0E01A0332; Wed, 21 May 2014 03:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8tlvCap72X1; Wed, 21 May 2014 03:24:31 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 269701A0327; Wed, 21 May 2014 03:24:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 63C22BE6E; Wed, 21 May 2014 11:24:29 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDlbXe1nxMBA; Wed, 21 May 2014 11:24:28 +0100 (IST)
Received: from [193.1.136.127] (dhcp-c101887f.ucd.ie [193.1.136.127]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id F26E2BE75; Wed, 21 May 2014 11:24:27 +0100 (IST)
Message-ID: <537C7EDB.9050000@cs.tcd.ie>
Date: Wed, 21 May 2014 11:24:27 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, IETF Security Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>
References: <53761B24.1060501@gmail.com> <20211F91F544D247976D84C5D778A4C32E60982F@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537A694C.60101@gmail.com> <537BC7B6.5040406@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B609@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C5BCE.4010801@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B6A8@SG70YWXCHMBA05.zap.alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E60B6A8@SG70YWXCHMBA05.zap.alcatel-lucent.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Vf-WoSpPyhGyAmPN1m9AQN28QE4
Cc: "manavbhatia@gmail.com" <manavbhatia@gmail.com>
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 10:24:33 -0000
On 21/05/14 09:07, Bhatia, Manav (Manav) wrote: > Stephen, > >>> The Apad is now employed for RIP, OSPF, OSPFv3. I see no reason >>> why LDP should be an exception. The same has been proposed for >>> BFD btw. >> >> Even given the above, I fail to see why you repeat this text over >> and over and over. Is there a real logic for that? > > Yes. The logic is that Apad keeps changing based on the protocol. > There are some specific attacks that can be prevented by defining > Apad to mean something specific. In case of OSPFv2 it means the > source address of the sender. In case of OSPFv3, it is a value where > the first 16 octets contain the IPv6 source address followed by the > hexadecimal value 0x878FE1F3 repeated (L-16)/4 times. L in this case > is the length of the hash. > > In case of RIpv2 and IS-IS it's a fixed constant. > > In this draft Apad is defined as: > > In case of IPv4, the first 4 octets contain the IPv4 source address > followed by the hexadecimal value 0x878FE1F3 repeated (L-4)/4 times. > In case of IPv6, the first 16 octets contain the IPv6 source address > followed by the hexadecimal value 0x878FE1F3 repeated (L-16)/4 > times. > > One way to avoid this duplication is by writing a new RFC that > redefines HMAC and includes the Apad. Other documents can only > mention the Apad value, while including a normative reference to that > RFC. > > This however is a long drawn discussion because everyone needs to be > convinced on the merits of updating the HMAC specification -- which I > am not sure will take how long. So I need to look at this draft, HMAC and the other cases but it seems to me that you're copying a page or two of crypto spec each time and changing one line. Doing that over and over is a recipe for long term pain, isn't it? (And we've had this discussion for each such draft while I've been on the IESG I think, which is also somewhat drawn out;-) S. > > Cheers, Manav > > >> >> S >> >>> >>> Cheers, Manav >>> >>>> -----Original Message----- From: Stephen Farrell >>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, May 21, >>>> 2014 2:53 AM To: Bhatia, Manav (Manav); IETF Security >>>> Directorate; The IESG; draft- >>>> ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org Cc: Yaron >>>> Sheffer; manavbhatia@gmail.com Subject: Re: SecDir review of >>>> draft-ietf-mpls-ldp-hello-crypto-auth-05 >>>> >>>> >>>> >>>> On 19/05/14 21:27, Yaron Sheffer wrote: >>>>>>> >>>>>>> * 5.1: Redefining HMAC (RFC 2104) is an extremely bad >>>>>>> idea. This reviewer does not have the appropriate >>>>>>> background to critique the proposed solution, but there >>>>>>> must be an overwhelming reason to >>>> reopen> >>>>> cryptographic primitives. >>>>>> >>>>>> This is a decision that was taken by Sec Ads when we were >>>>>> doing the crypto protection for the IGPs based on some >>>>>> feedback from NIST. >>>> This >>>>>> mathematics is not new and has been done for all IGPs and >>>>>> has been approved and rather encouraged by the Security >>>>>> ADs. >>>> >>>> The above does not sound like something I recognise. I have >>>> repeatedly asked that documents not re-define HMAC. Perhaps >>>> this time, I'll make that a DISCUSS and not budge. I probably >>>> should have done that before TBH. >>>> >>>> If you are revising that doc, *please* get rid of the >>>> re-definition and just properly refer to HMAC. Its about time >>>> to stop repeating that error. >>>> >>>> S. >>> >>> >>> > > >
- [secdir] SecDir review of draft-ietf-mpls-ldp-hel… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Ross Callon
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Vero Zheng
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia