Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-ao-crypto-02

Gregory Lebovitz <> Tue, 09 March 2010 05:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54F823A688E; Mon, 8 Mar 2010 21:52:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.144
X-Spam-Status: No, score=-102.144 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NORMAL_HTTP_TO_IP=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k1Q708Jm6Eaz; Mon, 8 Mar 2010 21:52:39 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 460313A6849; Mon, 8 Mar 2010 21:52:34 -0800 (PST)
Received: by bwz3 with SMTP id 3so503056bwz.29 for <multiple recipients>; Mon, 08 Mar 2010 21:52:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Yp5isnKVJ0S/RVYVqNzDEIM0rjD0OHW6qIP/kto3OFE=; b=SGIKfZIJifgR1CtWfIUQK5uctpaD9peEYoLLzGkoxZJtsr05alOY2pF4PZGkW54hXc Swk21rg+18B+i6Hr6wZfb4ABSlbV92J29W+LjuIIAscaBL0+2r/8mZL6NoItcnXoklld 2/FY+M2NIKmMGl86fyTZZ7u4MGVsVFSUEO3qU=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=qljnWWoCeyRcuoyMvZck0yMdmS6sHedtcWmab5SRXf4m2Mypiyjk4e+e/fgVtW482B ZqRFTeNSi9BrEZnSCrMgxTgQTZ6/5ysi/qAXGGkvN+jbCqnra/4OvusJlKtOlZ9URxio ogIzPFvNTc5vOUHwmLzKkiSw8dSQWwIiueue8=
MIME-Version: 1.0
Received: by with SMTP id u16mr189415bkt.165.1268113955194; Mon, 08 Mar 2010 21:52:35 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Mon, 8 Mar 2010 21:52:35 -0800
Message-ID: <>
From: Gregory Lebovitz <>
To: =?ISO-8859-1?Q?Magnus_Nystr=F6m?= <>, Eric Rescorla <>, Tim Polk <>
Content-Type: multipart/alternative; boundary=0015173fe6f6d58766048157c9f0
X-Mailman-Approved-At: Mon, 08 Mar 2010 23:53:50 -0800
Subject: Re: [secdir] Secdir review of draft-ietf-tcpm-tcp-ao-crypto-02
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 09 Mar 2010 05:52:40 -0000

Hey Magnus,
Thanks a lot for the review. Comments inline below...

On Fri, Mar 5, 2010 at 9:42 PM, Magnus Nyström <> wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments
> This document specifies requirements on cryptographic algorithms to be
> used in the TCP Authentication Option (TCP APO). It also specifies
> some mandatory algorithms.
> Comments:
> Abstract:
> - The abstract does not mention that the document also specifies
> requirements on future algorithms. IMO, it should.


> Section 1:
> (- Last paragraph is what prompted my comment on the abstract.)
> Section 2.2:
> - Suggest moving the note explaining the need to mandate two MAC
> algorithms to the Security Considerations section as it does not
> contain normative text but does contain security considerations.

Good point. When I originally wrote this text it did contain normative text.
Then I got some feedback that maybe we should down-grade the text to be
non-normative, but still clear guidance. If you think it makes a big
difference, I can move it. Otherwise, I'd like to keep it with the text
describing the "template" for how all TCP-AO algos are used, so that people
who are looking for the template will see the text right there, whereas they
might miss it if they are skimming and don't make it all the way to the SC
section. Let me know what you think.

> - Section
> - It is a little surprising to see that the SHA-1-based MAC algorithm
> is selected as the default one, given that this is a new specification
> and the industry is moving away from SHA-1. C.f. the work on XML
> Encryption 1.1 and XML Signature 1.1 that specificallly recommends
> against use of SHA-1 in new applications.

In TCP-AO SHA-1 is used as an HMAC, not a signing algo, so it does not have
the same properties in this context, and has shown no weaknesses, afaik. As
you can imagine we had a very long debate around which algo to make
mandatory. In the end (as the text was supposed to explain), Pasi and Tim
chose SHA-1 for both its strength and its wide availability in the target
devices (routers -- this is first and foremost being done for BGP
protection). But, since it's been around a while, and we always want to have
2 good algos in place, one the older more available, and a newer
up-and-comer, the AES was also specified. Unless Pasi and Tim want to change
their recommendations to the TCPM WG, we'll probably sit tight with this the
way it reads currently.

> - Section 6 (Security Considerations):
> In the fourth paragraph, there is a discussion around the fact that
> the document does not force use of a 16 octet key. I think it would be
> useful to at least clearly state a recommended minimum key size.

Interesting point. We had this debate in WG too.
My .02:  this is a security vs convenience thing. We give the deployer
plenty enough guidance and pointers to other RFC's and NIST docs to allow
them to do their homework to decide what length key they want, stopping just
short of telling them a recommended min key size. The deployers here are
router operators, for the most part. The ones that have a clue are already
using 128bit keys, generated randomly. The ones that aren't probably aren't
going to read this document anyway.

Any thoughts from Tim or EKR?

> Editorial:
> Section 1:
> - "between to endpoints" - "between two endpoints"?

good catch

> Section 3.1.1:
> - "fixed-length output lengths" -> "fixed-length output"?

good one

> Section 3.2.1:
> - "will be that has" -> "will be that"?

got it.

Thanks a ton again, Magnus. Good read. Much appreciated,

> -- Magnus

IETF related email from
Gregory M. Lebovitz
Juniper Networks