Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04

["Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>]

 
> 
> For other keyed md5 varients more analysis is required, but I 
> would not
> at all be surprised if the conclusion were the same: the class of md5
> attacks we know about do not apply to md5 in these MAC constructions.
> 
> I think the best we can say for discouraging the use of md5 
> is something
> like "There have been attacks against the use of md5 as a hash; while
> these attacks do not directly apply to the use of MD5 in routing
> protocols, it is prudent to have other options available."
> 
> The current text implies that the format of the routing 
> packets, rather
> than the format of the MAC construction is what provides protection.
> Based on what we've learned about attacking certificates and based on
> the fact that all our routing protocols have some extension 
> mechanisms,
> I'd find a defense based on the structure of the packets incredibly
> weak.

Though I agree that the current attacks on MD5 do not currently apply to MD5 as used in routing protocols, I still think very strongly about our point that for an attack to happen we would need a completely acceptable packet format which may not happen and thereby reducing the probability of an attack. In cryptography one can never be sure of what all has already been broken (It was several years till it became common public knowledge about "enigma" cipher being broken) and its precisely the routing protocol packet format that provides an additional level of security. Assume a 64 byte OSPF HELLO packet using keyed MD5 as described in 2328. Assume that we have been able to find collisions with MD5 as used by OSPF. Even if we are able to find collisions, the probability of an attacker doing something meaningful is in the order of 1/2^64 for a given source and a dest IP.

Thus this really is the clincher in my opinion.

Thanks, Manav