Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 Fri, 03 September 2021 08:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 805553A13EE; Fri, 3 Sep 2021 01:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NTsJw-_wyYwS; Fri, 3 Sep 2021 01:55:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6DCF63A1429; Fri, 3 Sep 2021 01:55:56 -0700 (PDT)
Received: from (unknown [xx.xx.xx.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by (ESMTP service) with ESMTPS id 4H1BTk14qRz5wfF; Fri, 3 Sep 2021 10:55:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ORANGE001; t=1630659354; bh=qN2jgiHNM8Lep/GZAGT8e1tilbdCv268g4Ng86P1HdI=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=ZdTrkja/8o2fyzA7CQk6UaYLhuzekqNWwMJzdVIPwVr3VzZ+t51KLtcX0k5zKaHDC RIPl+BsI6mPIhA/JdLAHJux9TROrgHpTlgzKWY24FOMCgRK6uebe187fso0EaFUx9E M0Yhn9qsPg/UtArSJoBEguMmO6eozCkpzpkn0id+SQ+1OFrMBHpjyypYg3IXNvrg08 FPDFO5fBeha3E3aYswrRXHRj3Hnl27qji7j6ApHcnMOEESqgTtWNoEidr+jQzVcY+l EhEwj9iWJ0HLcQ+WeLYoUZFT1/Ft8sPC3rFGbvfmAFBZGoH0l3P1eNu15YXeIaUkPs l2EpsF1Oy78gw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (ESMTP service) with ESMTPS id 4H1BTk0CSgzDq8T; Fri, 3 Sep 2021 10:55:54 +0200 (CEST)
From: <>
To: Benjamin Kaduk <>, tom petch <>
CC: "" <>, "" <>, Rifaat Shekh-Yusef <>, "" <>
Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10
Thread-Index: AQHXgZdSwzNfaHSiC0m9Ry8G0T+4M6taA6cAgAcVkwCAMSMk4A==
Date: Fri, 3 Sep 2021 08:55:52 +0000
Message-ID: <29936_1630659354_6131E31A_29936_20_1_787AE7BB302AE849A7480A190F8B9330353E852D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <> <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Sep 2021 08:56:16 -0000

Hi Ben, all, 

Glad to see that you found the text where explain why MD5 is supported in the model. 

Added this NEW text to the security considerations section: 

   As discussed in Section 7.6.3, the module supports MD5 to basically
   accommodate the installed BGP base.  MD5 suffers from the
   security weaknesses discussed in Section 2 of [RFC6151] or
   Section 2.1 of [RFC6952].


> -----Message d'origine-----
> De : last-call [] De la part de
> Benjamin Kaduk
> Envoyé : mardi 3 août 2021 06:21
> À : tom petch <>
> Cc :;;
> Rifaat Shekh-Yusef <>om>;
> Objet : Re: [Last-Call] Secdir last call review of draft-ietf-
> opsawg-l3sm-l3nm-10
> Hi Tom,
> On Thu, Jul 29, 2021 at 05:10:00PM +0100, tom petch wrote:
> > Reading this I-D, I wondered what the secdir view is of
> recommending
> > the use of MD5 to secure the session as this I-D does for BGP.
> (Such
> > a use in NTP did generate a comment).
> This part:
>       'authentication':  The module adheres to the recommendations
> in
>          Section 13.2 of [RFC4364] as it allows enabling TCP-AO
>          [RFC5925] and accommodates the installed base that makes
> use of
>          MD5.  In addition, the module includes a provision for the
> use
> seems to be about as good as we can do given the current state of
> deployment and implementation.
> I will probably suggest adding some additional discussion of the
> weakness of MD5 to the security considerations in my ballot
> comments, if no such text appears before then.
> Thanks,
> Ben
> --
> last-call mailing list


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.