IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-pals-p2mp-pw-03

Tero Kivinen <kivinen@iki.fi> Thu, 31 August 2017 22:50 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC9A132F2A for <secdir@ietfa.amsl.com>; Thu, 31 Aug 2017 15:50:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1KCSqnZkil1g for <secdir@ietfa.amsl.com>; Thu, 31 Aug 2017 15:50:52 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BE47132E26 for <secdir@ietf.org>; Thu, 31 Aug 2017 15:50:51 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v7VMolEC015453 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 1 Sep 2017 01:50:47 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v7VMoluE001058; Fri, 1 Sep 2017 01:50:47 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22952.37575.299245.614169@fireball.acr.fi>
Date: Fri, 01 Sep 2017 01:50:47 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: iesg@ietf.org, secdir@ietf.org, draft-ietf-pals-p2mp-pw.all@tools.ietf.org, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, "pals-chairs@tools.ietf.org" <pals-chairs@tools.ietf.org>
In-Reply-To: <29b3a151-0a79-d2f0-c051-35396010e2c6@gmail.com>
References: <201708270627.v7R6RLjk004141@fireball.acr.fi> <aed969e4-31be-cf77-8bbe-598f0407c4f3@gmail.com> <201708280757.v7S7vZxH028695@fireball.acr.fi> <29b3a151-0a79-d2f0-c051-35396010e2c6@gmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tRnoj0L4-mqw2VY3RwzWZ-kKzJU>
Subject: Re: [secdir] Secdir review of draft-ietf-pals-p2mp-pw-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2017 22:50:54 -0000

Stewart Bryant writes:
> How about if we changed the security text to something of the form:
> 
> In general the security measures described in [RFC4447bis] are
> adequate for this protocol. However the use of MD5 as the method of
> securing an LDP control plane is no longer considered adequately
> secure. Implementations should be written in such a way that they
> can migrate to a more secure cryptographic hash function when that
> function is agreed as the new default hash for LDP.

Looks mostly good, except I would say "... can migrate to more secure
authentication algorithm when ...", i.e., the next authentication
method to be used in the LDP might not be simple hash based
authentication algorithm. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email