IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05

Uri Blumenthal <uri@MIT.EDU> Wed, 21 May 2014 15:58 UTC

Return-Path: <uri@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA34A1A073F; Wed, 21 May 2014 08:58:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Level:
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nK64awR3_s8W; Wed, 21 May 2014 08:58:26 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D5F01A06F9; Wed, 21 May 2014 08:58:22 -0700 (PDT)
X-AuditID: 12074423-f79916d000000c54-3d-537ccd1cfab9
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 77.42.03156.C1DCC735; Wed, 21 May 2014 11:58:20 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s4LFwGHH031442; Wed, 21 May 2014 11:58:17 -0400
Received: from [192.168.1.112] (chostler.hsd1.ma.comcast.net [24.62.227.134]) (authenticated bits=0) (User authenticated as uri@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4LFwAhk024544 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 21 May 2014 11:58:11 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_C163AF87-0188-46A4-B184-FDFA7E675C56"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Uri Blumenthal <uri@MIT.EDU>
In-Reply-To: <537CB73B.7040408@gmail.com>
Date: Wed, 21 May 2014 11:58:09 -0400
Message-Id: <2D72A0EF-C4DD-4695-95D4-0744AA1AB02B@mit.edu>
References: <53761B24.1060501@gmail.com> <20211F91F544D247976D84C5D778A4C32E60982F@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537A694C.60101@gmail.com> <537BC7B6.5040406@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B609@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C5BCE.4010801@cs.tcd.ie> <20211F91F544D247976D84C5D778A4C32E60B6A8@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537C7EDB.9050000@cs.tcd.ie> <CAG1kdogiEJp=jy5D+tvXnAZ2XD0Xe1=kB-do_=h4PU1V9j7KKQ@mail.gmail.com> <537C86D6.1030703@pi.nu> <20211F91F544D247976D84C5D778A4C32E60BA5C@SG70YWXCHMBA05.zap.alcatel-lucent.com> <537CA2D2.4070103@cs.tcd.ie> <54E263B5-41C7-4523-9941-B3E39AE077CD@mit.edu> <537CB73B.7040408@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.2)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGKsWRmVeSWpSXmKPExsUixCmqrCtztibY4PN9EYu75zeyWcz4M5HZ 4t/cOcwWc+7dY7W4PKmN3eLDwocsFtP3XmO3WHV/BrsDh0frs72sHmu7r7J57Jx1l91jyZKf TB6zprexeXy5/JktgC2KyyYlNSezLLVI3y6BK+P2jgmsBc1zGSvePg9tYNzfytjFyMkhIWAi cevrWShbTOLCvfVsXYxcHEICs5kk/nf0MIEkhAQ2MkrsPSUHkdjHJDGxpZMdJMEskCCx6Gsj M4jNK2Agca1/PdgkYQF/iVV7G8DibAJKEs3NW1hBbE4BTYnpH4+B1bAIqEo8uv2ZFWQos8A0 ZokNc/4zQgyykng+7xcrxLalrBKTTlwEOoODQwSoe9pRK4hT5SVmtJ9gn8AoMAvJHbOQ3AER 15ZYtvA1M4RtIPG08xUrpri+xJt3c5gWMLKtYpRNya3SzU3MzClOTdYtTk7My0st0jXTy80s 0UtNKd3ECIosdhflHYx/DiodYhTgYFTi4V1QVB0sxJpYVlyZe4hRkoNJSZQ3ZUdNsBBfUn5K ZUZicUZ8UWlOavEhRgkOZiUR3oP7gHK8KYmVValF+TApaQ4WJXHet9ZWwUIC6YklqdmpqQWp RTBZGQ4OJQnebaeBGgWLUtNTK9Iyc0oQ0kwcnCDDeYCGzwSp4S0uSMwtzkyHyJ9iNOY4N+dU GxNHy78zbUxCLHn5ealS4rxtIKUCIKUZpXlw02DJ8RWjONBzwrx1IFU8wMQKN+8V0ComoFV/ F1eCrCpJREhJNTA6zZbU+r3zC4/Mpd6+l7c1lgiXNTpwH0yItNR/yfF7nee0jq1q904Zypqs 9n+WXBWRm7t9zya2k2+fse87PrF/gvoxbXbBktlzHINfHzBvzXfKl5APt/4e5pJaFP5QV7dB rWvR4+2eBYmPxbweOXz5ePbzqdviUa13cnweffz7/ckqV7tDuolKLMUZiYZazEXFiQAQgWVD aQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/rW_HYQCON8htep7Y5yEm6kHLziw
Cc: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, IETF Security Directorate <secdir@ietf.org>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>, The IESG <iesg@ietf.org>, Manav Bhatia <manavbhatia@gmail.com>, Loa Andersson <loa@pi.nu>
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 15:58:29 -0000

1. Leave the HMAC construct alone. Do not redefine it in the draft, do not spell it out in the draft, just use it/refer to it. Could you please make the text reflect this? Stephen suggested “for someone here to re-factor their text to just do their Apad thing but to not repeat text from 2104”, which makes perfect sense to me.

2. You can use HMAC to sign (hmm, authenticate :) anything you wish, including Apad. It should not be a concern from security point of view.

Thanks!

On May 21, 2014, at 10:24 , Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> IMHO, this is purely a naming problem. Apad does NOT modify the base HMAC, please see http://tools.ietf.org/html/draft-ietf-mpls-ldp-hello-crypto-auth-05#section-5. It is just one more thing that's signed by HMAC.
> 
> My problem with this draft is that they have different ideas about the key length, compared to RFC 2104 (top of Sec. 5.1). Also, I am unhappy that they spell out the HMAC construction instead of leaving it as a black box.
> 
> But I think Apad is just fine, if it weren't for the unfortunate name that leads people to think it's modifying HMAC.
> 
> Thanks,
> 	Yaron
> 
> 
> On 05/21/2014 04:28 PM, Uri Blumenthal wrote:
>> Once again, please.
>> 
>> 1. Who specifically, at NIST and at IESG, says that HMAC needs Apad for security reasons (and therefore is not secure as-is)?
>> 
>> 2. What are those security reasons, and what are the attacks that are foiled by Apad?
>> 
>> 3. What published papers/references/whatever is this documented? As HMAC came with security proofs, I’d like to see where and how they are invalidated (if they indeed are).
>> 
>> 
>> 
>> On May 21, 2014, at 8:57 , Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> 
>>> 
>>> 
>>> On 21/05/14 12:14, Bhatia, Manav (Manav) wrote:
>>>> I agree with Loa.
>>>> 
>>>> Our current draft is very simple and has gone through multiple
>>>> iterations of reviews in at least two WGs. It brings LDP to the same
>>>> level of security as other protocols running in the networks.
>>> 
>>> Fully agree with that goal.
>>> 
>>>> 
>>>> I think we should just push it forward and if there is an interest in
>>>> writing a new ID that updates HMAC specification, then we write one
>>>> that includes the Apad stuff. I think the latter should anyways be
>>>> done, regardless of what happens to this particular draft.
>>> 
>>> I need to read it. But I'd be happier if that HMAC draft existed
>>> and was going to be processed - then we wouldn't have to do this
>>> discussion again.
>>> 
>>> Cheers,
>>> S.
>>> 
>>>> 
>>>> The IETF submission site is down and hence couldn’t upload the
>>>> revised ID (addressing Yaron's comments). Will do it tomorrow once
>>>> its up.
>>>> 
>>>> After that its ready to be placed before the IESG.
>>>> 
>>>> Cheers, Manav
>>>> 
>>>>> -----Original Message----- From: Loa Andersson [mailto:loa@pi.nu]
>>>>> Sent: Wednesday, May 21, 2014 4:29 PM To: Manav Bhatia; Stephen
>>>>> Farrell Cc: Bhatia, Manav (Manav); IETF Security Directorate; The
>>>>> IESG; draft- ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org;
>>>>> Yaron Sheffer Subject: Re: SecDir review of
>>>>> draft-ietf-mpls-ldp-hello-crypto-auth-05
>>>>> 
>>>>> Folks,
>>>>> 
>>>>> I'm only the document shepherd. My feeling is that we are raising
>>>>> the hurdle step by step for the KARP - initiated RFCs, the first
>>>>> was comparatively smooth, now we are trying to put an 18 months
>>>>> effort (individual draft to RFC) in front of approving something
>>>>> that is comparatively simple and seen as raising LDP to the same
>>>>> security as the other routing protocols.
>>>>> 
>>>>> So if we get to tired to push this, we are all better off not
>>>>> doing the security work for this particular protocol?
>>>>> 
>>>>> Someone said - "Never let the best be the enemy of the possible"!
>>>>> 
>>>>> /Loa
>>>>> 
>>>>> 
>>>>> 
>>>>> On 2014-05-21 12:39, Manav Bhatia wrote:
>>>>>> Stephen,
>>>>>> 
>>>>>>>> This however is a long drawn discussion because everyone
>>>>>>>> needs to
>>>>> be
>>>>>>>> convinced on the merits of updating the HMAC specification --
>>>>>>>> which
>>>>> I
>>>>>>>> am not sure will take how long.
>>>>>>> 
>>>>>>> So I need to look at this draft, HMAC and the other cases but
>>>>>>> it seems to me that you're copying a page or two of crypto spec
>>>>>>> each time and changing one line. Doing that over and over is a
>>>>>>> recipe for long term pain, isn't it?
>>>>>> 
>>>>>> It sure is.
>>>>>> 
>>>>>> I had volunteered to write a 1-2 page long ID that updated the
>>>>>> HMAC
>>>>> to
>>>>>> include the Apad, but the idea was shot down. The only
>>>>>> alternative left was to include the crypto stuff in each standard
>>>>>> that we wrote later.
>>>>>> 
>>>>>>> 
>>>>>>> (And we've had this discussion for each such draft while I've
>>>>>>> been on the IESG I think, which is also somewhat drawn out;-)
>>>>>> 
>>>>>> This draft is probably the last one thats coming from the Routing
>>>>>> WG which will have this level of crypto mathematics spelled out.
>>>>>> All other IGPs are already covered. In case we need to change
>>>>>> something
>>>>> in
>>>>>> the ones already covered we can refer to the base RFC where we
>>>>>> have detailed the crypto maths. For example,
>>>>>> draft-ietf-ospf-security-extension-manual-keying-08 amongst
>>>>>> other things also updates the definition of Apad. It points to
>>>>>> the exact mathematics in RFC 5709 and only updates the Apad
>>>>>> definition in that draft. This draft btw has cleared the WG LC
>>>>>> and would be appearing before you guys very soon.
>>>>>> 
>>>>>> Given this, i think we should just pass this draft with this
>>>>>> level of details. Subsequently, when LDP wants to update
>>>>>> something, it can normatively refer to this RFC and only give the
>>>>>> changes.
>>>>>> 
>>>>>> Cheers, Manav
>>>>>> 
>>>>>>> 
>>>>>>> S.
>>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> Cheers, Manav
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> S
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Cheers, Manav
>>>>>>>>>> 
>>>>>>>>>>> -----Original Message----- From: Stephen Farrell
>>>>>>>>>>> [mailto:stephen.farrell@cs.tcd.ie] Sent: Wednesday, May
>>>>>>>>>>> 21, 2014 2:53 AM To: Bhatia, Manav (Manav); IETF
>>>>>>>>>>> Security Directorate; The IESG; draft-
>>>>>>>>>>> ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org Cc:
>>>>>>>>>>> Yaron Sheffer; manavbhatia@gmail.com Subject: Re:
>>>>>>>>>>> SecDir review of
>>>>>>>>>>> draft-ietf-mpls-ldp-hello-crypto-auth-05
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> On 19/05/14 21:27, Yaron Sheffer wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> * 5.1: Redefining HMAC (RFC 2104) is an extremely
>>>>>>>>>>>>>> bad idea. This reviewer does not have the
>>>>>>>>>>>>>> appropriate background to critique the proposed
>>>>>>>>>>>>>> solution, but there must be an overwhelming
>>>>>>>>>>>>>> reason to
>>>>>>>>>>> reopen> >>>>> cryptographic primitives.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> This is a decision that was taken by Sec Ads when
>>>>>>>>>>>>> we were doing the crypto protection for the IGPs
>>>>>>>>>>>>> based on some feedback from NIST.
>>>>>>>>>>> This
>>>>>>>>>>>>> mathematics is not new and has been done for all
>>>>>>>>>>>>> IGPs and has been approved and rather encouraged by
>>>>>>>>>>>>> the Security ADs.
>>>>>>>>>>> 
>>>>>>>>>>> The above does not sound like something I recognise. I
>>>>>>>>>>> have repeatedly asked that documents not re-define
>>>>>>>>>>> HMAC. Perhaps this time, I'll make that a DISCUSS and
>>>>>>>>>>> not budge. I probably should have done that before
>>>>>>>>>>> TBH.
>>>>>>>>>>> 
>>>>>>>>>>> If you are revising that doc, *please* get rid of the
>>>>>>>>>>> re-definition and just properly refer to HMAC. Its
>>>>>>>>>>> about time to stop repeating that error.
>>>>>>>>>>> 
>>>>>>>>>>> S.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>> 
>>>>> --
>>>>> 
>>>>> 
>>>>> Loa Andersson                        email: loa@mail01.huawei.com
>>>>> Senior MPLS Expert                          loa@pi.nu Huawei
>>>>> Technologies (consultant)     phone: +46 739 81 21 64
>>> 
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/secdir
>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>> 
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>

v2.23.0 | Report a Bug | By Email