Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 21 May 2014 12:58 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C661B1A05C3; Wed, 21 May 2014 05:58:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uqo6LVZiV8sY; Wed, 21 May 2014 05:58:02 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id A89581A067A; Wed, 21 May 2014 05:57:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 68BA5BE8A; Wed, 21 May 2014 13:57:56 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsa62k7ZrW-n; Wed, 21 May 2014 13:57:54 +0100 (IST)
Received: from [193.1.136.127] (dhcp-c101887f.ucd.ie [193.1.136.127]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id A9D47BE80; Wed, 21 May 2014 13:57:54 +0100 (IST)
Message-ID: <537CA2D2.4070103@cs.tcd.ie>
Date: Wed, 21 May 2014 13:57:54 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, Loa Andersson <loa@pi.nu>, Manav Bhatia <manavbhatia@gmail.com>
References: <53761B24.1060501@gmail.com> <20211F91F544D247976D84C5D778A4C32E60982F@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537A694C.60101@gmail.com> <537BC7B6.5040406@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B609@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C5BCE.4010801@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B6A8@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C7EDB.9050000@cs.tcd.ie> <CAG1kdogiEJp=jy5D+tvXnAZ2XD0Xe1=kB-do_=h4PU1V9j7KKQ@mail.gmail.com> <537C86D6.1030703@pi.nu> <20211F91F544D247976D84C5D778A4C32E60BA5C@SG70YWXCHMBA05.zap.alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E60BA5C@SG70YWXCHMBA05.zap.alcatel-lucent.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/nS98_Ax3HcTbtMiIRGvGAqWC-80
Cc: "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>, The IESG <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 12:58:04 -0000
On 21/05/14 12:14, Bhatia, Manav (Manav) wrote: > I agree with Loa. > > Our current draft is very simple and has gone through multiple > iterations of reviews in at least two WGs. It brings LDP to the same > level of security as other protocols running in the networks. Fully agree with that goal. > > I think we should just push it forward and if there is an interest in > writing a new ID that updates HMAC specification, then we write one > that includes the Apad stuff. I think the latter should anyways be > done, regardless of what happens to this particular draft. I need to read it. But I'd be happier if that HMAC draft existed and was going to be processed - then we wouldn't have to do this discussion again. Cheers, S. > > The IETF submission site is down and hence couldn’t upload the > revised ID (addressing Yaron's comments). Will do it tomorrow once > its up. > > After that its ready to be placed before the IESG. > > Cheers, Manav > >> -----Original Message----- From: Loa Andersson [mailto:loa@pi.nu] >> Sent: Wednesday, May 21, 2014 4:29 PM To: Manav Bhatia; Stephen >> Farrell Cc: Bhatia, Manav (Manav); IETF Security Directorate; The >> IESG; draft- ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org; >> Yaron Sheffer Subject: Re: SecDir review of >> draft-ietf-mpls-ldp-hello-crypto-auth-05 >> >> Folks, >> >> I'm only the document shepherd. My feeling is that we are raising >> the hurdle step by step for the KARP - initiated RFCs, the first >> was comparatively smooth, now we are trying to put an 18 months >> effort (individual draft to RFC) in front of approving something >> that is comparatively simple and seen as raising LDP to the same >> security as the other routing protocols. >> >> So if we get to tired to push this, we are all better off not >> doing the security work for this particular protocol? >> >> Someone said - "Never let the best be the enemy of the possible"! >> >> /Loa >> >> >> >> On 2014-05-21 12:39, Manav Bhatia wrote: >>> Stephen, >>> >>>>> This however is a long drawn discussion because everyone >>>>> needs to >> be >>>>> convinced on the merits of updating the HMAC specification -- >>>>> which >> I >>>>> am not sure will take how long. >>>> >>>> So I need to look at this draft, HMAC and the other cases but >>>> it seems to me that you're copying a page or two of crypto spec >>>> each time and changing one line. Doing that over and over is a >>>> recipe for long term pain, isn't it? >>> >>> It sure is. >>> >>> I had volunteered to write a 1-2 page long ID that updated the >>> HMAC >> to >>> include the Apad, but the idea was shot down. The only >>> alternative left was to include the crypto stuff in each standard >>> that we wrote later. >>> >>>> >>>> (And we've had this discussion for each such draft while I've >>>> been on the IESG I think, which is also somewhat drawn out;-) >>> >>> This draft is probably the last one thats coming from the Routing >>> WG which will have this level of crypto mathematics spelled out. >>> All other IGPs are already covered. In case we need to change >>> something >> in >>> the ones already covered we can refer to the base RFC where we >>> have detailed the crypto maths. For example, >>> draft-ietf-ospf-security-extension-manual-keying-08 amongst >>> other things also updates the definition of Apad. It points to >>> the exact mathematics in RFC 5709 and only updates the Apad >>> definition in that draft. This draft btw has cleared the WG LC >>> and would be appearing before you guys very soon. >>> >>> Given this, i think we should just pass this draft with this >>> level of details. Subsequently, when LDP wants to update >>> something, it can normatively refer to this RFC and only give the >>> changes. >>> >>> Cheers, Manav >>> >>>> >>>> S. >>>> >>>> >>>>> >>>>> Cheers, Manav >>>>> >>>>> >>>>>> >>>>>> S >>>>>> >>>>>>> >>>>>>> Cheers, Manav >>>>>>> >>>>>>>> -----Original Message----- From: Stephen Farrell >>>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, May >>>>>>>> 21, 2014 2:53 AM To: Bhatia, Manav (Manav); IETF >>>>>>>> Security Directorate; The IESG; draft- >>>>>>>> ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org Cc: >>>>>>>> Yaron Sheffer; manavbhatia@gmail.com Subject: Re: >>>>>>>> SecDir review of >>>>>>>> draft-ietf-mpls-ldp-hello-crypto-auth-05 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 19/05/14 21:27, Yaron Sheffer wrote: >>>>>>>>>>> >>>>>>>>>>> * 5.1: Redefining HMAC (RFC 2104) is an extremely >>>>>>>>>>> bad idea. This reviewer does not have the >>>>>>>>>>> appropriate background to critique the proposed >>>>>>>>>>> solution, but there must be an overwhelming >>>>>>>>>>> reason to >>>>>>>> reopen> >>>>> cryptographic primitives. >>>>>>>>>> >>>>>>>>>> This is a decision that was taken by Sec Ads when >>>>>>>>>> we were doing the crypto protection for the IGPs >>>>>>>>>> based on some feedback from NIST. >>>>>>>> This >>>>>>>>>> mathematics is not new and has been done for all >>>>>>>>>> IGPs and has been approved and rather encouraged by >>>>>>>>>> the Security ADs. >>>>>>>> >>>>>>>> The above does not sound like something I recognise. I >>>>>>>> have repeatedly asked that documents not re-define >>>>>>>> HMAC. Perhaps this time, I'll make that a DISCUSS and >>>>>>>> not budge. I probably should have done that before >>>>>>>> TBH. >>>>>>>> >>>>>>>> If you are revising that doc, *please* get rid of the >>>>>>>> re-definition and just properly refer to HMAC. Its >>>>>>>> about time to stop repeating that error. >>>>>>>> >>>>>>>> S. >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>>> >> >> -- >> >> >> Loa Andersson email: loa@mail01.huawei.com >> Senior MPLS Expert loa@pi.nu Huawei >> Technologies (consultant) phone: +46 739 81 21 64
- [secdir] SecDir review of draft-ietf-mpls-ldp-hel… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Ross Callon
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Bhatia, Manav (Manav)
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Uri Blumenthal
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Vero Zheng
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Loa Andersson
- Re: [secdir] SecDir review of draft-ietf-mpls-ldp… Manav Bhatia