Re: [secdir] Secdir review of draft-ietf-karp-isis-analysis-04

Uma Chunduri <uma.chunduri@ericsson.com> Mon, 06 July 2015 19:55 UTC

Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC81B1B3169; Mon, 6 Jul 2015 12:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqowKStYcOfq; Mon, 6 Jul 2015 12:55:39 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637FF1B316B; Mon, 6 Jul 2015 12:55:35 -0700 (PDT)
X-AuditID: c6180641-f794d6d000001dfb-82-559a75f923de
Received: from EUSAAHC001.ericsson.se (Unknown_Domain [147.117.188.75]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 03.BA.07675.9F57A955; Mon, 6 Jul 2015 14:35:06 +0200 (CEST)
Received: from EUSAAMB105.ericsson.se ([147.117.188.122]) by EUSAAHC001.ericsson.se ([147.117.188.75]) with mapi id 14.03.0210.002; Mon, 6 Jul 2015 15:55:32 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>, "draft-ietf-karp-isis-analysis.all@tools.ietf.org" <draft-ietf-karp-isis-analysis.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-karp-isis-analysis-04
Thread-Index: AdC1RZp1NKJ94rslRLaB6U6NutZdxQAT8ZqgAKKxUJA=
Date: Mon, 6 Jul 2015 19:55:32 +0000
Message-ID: <1B502206DFA0C544B7A60469152008633F749A8C@eusaamb105.ericsson.se>
References: <006f01d0b595$baae8b20$300ba160$@nict.go.jp>
In-Reply-To: <006f01d0b595$baae8b20$300ba160$@nict.go.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.10]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrELMWRmVeSWpSXmKPExsUyuXSPt+6v0lmhBm9O8Fr8+buF2WLGn4nM FnPfXmS3+LDwIYvF4v5QB1aPJUt+Mnm8OLqd3ePL5c9sAcxRXDYpqTmZZalF+nYJXBm9M+4y FayXqHjZ3s3ewPhKuIuRk0NCwESia9EMJghbTOLCvfVsXYxcHEICRxklNr5czQzhLGOU2Plu BiNIFZuAnsTHqT/ZQWwRgfmMEi93JoLYzAKtjBLXNml1MXJwCAvYSRzvlYQosZeY0XeUDcK2 krj+9TZYK4uAisSSpX8ZQcp5BXwlJm30AAkLCVhInG3sA7uHU8BSovXRC2YQmxHotu+n1jBB bBKXuPVkPtTNAhJL9pxnhrBFJV4+/scKYStJTFp6jhWiXkdiwe5PbBC2tsSyha/B6nkFBCVO znzCMoFRbBaSsbOQtMxC0jILScsCRpZVjBylxalluelGhpsYgZF0TILNcQfjgk+WhxgFOBiV eHgTLWaGCrEmlhVX5h5ilOZgURLnlfbLCxUSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXAKGF2 8eDe3590z8xM3L5uq9OVhMOPjj5muGM0a5udBMOe4rb+kEVnvsnuCRATNfGoCF1xqqVB97HB j62thQsiTvySnfaZtVmsqiJIoNeAdfY39oTvOVsZX9VvfrKf7YJ0aNvZWbr5+tvV7t/2euQg m5zzuS1Hgdfrbb9Dc9rGoMsm28Ulw0rPKbEUZyQaajEXFScCAIccgP6FAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Y-m8Msn1xcMvImt641FhSSqf30Y>
Cc: "karp-chairs@tools.ietf.org" <karp-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-karp-isis-analysis-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 19:55:41 -0000

Hi Take,

Thanks for your  review and comments. Shall address both your comments in the next update i.e.,
a. Ref. to 5310 in Section 4
b.  Shall recommend usage of RFC 5310 instead of RFC 5304 (HMAC-MD5)

" In view of openly published attack vectors, as noted in Section 1 of  [RFC5310] on HMAC-MD5 cryptographic authentication mechanism, 
   IS-IS deployments SHOULD use HMAC-SHA family [RFC5310]  instead of HMAC-MD5 [RFC5304] for protecting IS-IS PDUs."

Please suggest if the above is sufficient to address #b (or happy to consider better text).  Thx!

--
Uma C.

-----Original Message-----
From: Takeshi Takahashi [mailto:takeshi_takahashi@nict.go.jp] 
Sent: Friday, July 03, 2015 6:40 AM
To: draft-ietf-karp-isis-analysis.all@tools.ietf.org
Cc: iesg@ietf.org; secdir@ietf.org; karp-chairs@tools.ietf.org
Subject: RE: Secdir review of draft-ietf-karp-isis-analysis-04

Let me add one more comment here.
We could probably discourage the use of HMAC-MD5, and encourage the use of HMAC-SHA family instead.

Take

> -----Original Message-----
> From: Takeshi Takahashi [mailto:takeshi_takahashi@nict.go.jp]
> Sent: Friday, July 3, 2015 1:10 PM
> To: 'draft-ietf-karp-isis-analysis.all@tools.ietf.org'
> Cc: 'iesg@ietf.org'.org'; 'secdir@ietf.org'.org'; 'karp-chairs@tools.ietf.org'
> Subject: Secdir review of draft-ietf-karp-isis-analysis-04
> 
> Hello,
> 
> I have reviewed this document as part of the security directorate's
ongoing
> effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security 
> area directors.
> Document editors and WG chairs should treat these comments just like 
> any
other
> last call comments.
> 
> This document is ready for publication.
> 
> [summary of this document]
> 
> This document analyzes the threats of IS-IS protocol.
> It first summarizes the current state of the IS-IS protocol, with 
> special
focus
> on key usage and key management (in section 2), and then analyzes the
security
> gaps in order to identify security requirements (in section 3).
> 
> In the summary of the current state of the protocol (section 2), it
already
> mentioned the threats of the protocol, i.e. replay attack and spoofing
attack,
> for each of the three message types of IS-IS protocol.
> Section 3 summarizes, organizes, and develops the threat analysis and
provides
> candidate direction to cope with the threats by listing requirements 
> and
by
> listing related I-D works.
> 
> [minor comment]
> 
> As mentioned in the security consideration section, this draft does 
> not
modify
> any of the existing protocols.
> It thus does not produce any new security concerns.
> So, the security consideration section seems adequate.
> The authors could consider citing RFC 5310 in Section 5, since I feel 
> like
that
> this draft does not discuss all the content of the consideration 
> section
of
> the rfc (it does discuss major parts of the section, though).
> 
> Cheers,
> Take
>