IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05

Uri Blumenthal <uri@MIT.EDU> Fri, 16 May 2014 14:43 UTC

Return-Path: <uri@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11561A0257 for <secdir@ietfa.amsl.com>; Fri, 16 May 2014 07:43:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.353
X-Spam-Level:
X-Spam-Status: No, score=-1.353 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lE0IqgJPySKv for <secdir@ietfa.amsl.com>; Fri, 16 May 2014 07:43:18 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1381A0060 for <secdir@ietf.org>; Fri, 16 May 2014 07:43:18 -0700 (PDT)
X-AuditID: 12074424-f79546d000000c5e-af-537623fee373
Received: from mailhub-2.mit.edu ( [18.7.62.30]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id C1.F5.03166.EF326735; Fri, 16 May 2014 10:43:10 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-1.mit.edu [18.9.28.12]) by mailhub-2.mit.edu (8.13.8/8.9.2) with ESMTP id s4GEh8fj029494; Fri, 16 May 2014 10:43:09 -0400
Received: from webmail-9.mit.edu (webmail-9.mit.edu [18.9.23.19]) ) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4GEh54Q006526; Fri, 16 May 2014 10:43:06 -0400
Received: from webmail-9.mit.edu (webmail-9.mit.edu [127.0.0.1]) by webmail-9.mit.edu (8.13.8) with ESMTP id s4GEh5Xu014724; Fri, 16 May 2014 10:43:05 -0400
Received: (from nobody@localhost) by webmail-9.mit.edu (8.13.8/8.13.8/Submit) id s4GEh3tK014723; Fri, 16 May 2014 10:43:03 -0400
X-Authentication-Warning: webmail-9.mit.edu: nobody set sender to uri@mit.edu using -f
Received: from LLPROXY.LL.MIT.EDU (LLPROXY.LL.MIT.EDU [129.55.200.20]) (User authenticated as uri@ATHENA.MIT.EDU) by webmail.mit.edu (Horde MIME library) with HTTP; Fri, 16 May 2014 10:43:03 -0400
Message-ID: <20140516104303.5znqhmi83ockgsgg@webmail.mit.edu>
X-Priority: 3 (Normal)
Date: Fri, 16 May 2014 10:43:03 -0400
From: Uri Blumenthal <uri@MIT.EDU>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <53761B24.1060501@gmail.com>
In-Reply-To: <53761B24.1060501@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.0.3)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrCKsWRmVeSWpSXmKPExsUixG4np/tPuSzYoOmmmMXd8xvZLD4sfMhi ser+DHYHZo+ds+6yeyxZ8pPJ48vlz2wBzFFcNimpOZllqUX6dglcGYf3tDAWLGCrOLvyN3sD YwtrFyMnh4SAicSNdYfZIWwxiQv31rN1MXJxCAlMY5L4uHQZWJGQwHJGiZ87VSASqxklruxu ZYFw5jFKHNtwlBXCaWGUuHRiLyPErDCJvrWnoBKnGCUm9iwAW8IrYCvxcO4lVpiFE9b9Ygax WQRUJV6sngfWzCagJNHcvAWohoNDREBTYtpRqy5Gdg5mAV+JfykgBcICgRJzb+xihDhOQ+Lt untMIDYnUPGMx2eYIBYJSpyc+YQFxGYWsJE48WMr2EBmAWmJ5f84IMLaEssWvgbbLypgLvFg 7w7GCYzis5B0z0LSPQuhexaS7gWMLKsYZVNyq3RzEzNzilOTdYuTE/PyUot0zfVyM0v0UlNK NzGCI89FZQdj8yGlQ4wCHIxKPLwXtEqDhVgTy4orcw8xSnIwKYnyJsiVBQvxJeWnVGYkFmfE F5XmpBYfYpTgYFYS4ZUSAMrxpiRWVqUW5cOkpDlYlMR531pbBQsJpCeWpGanphakFsFkZTg4 lCR4VYEJRkiwKDU9tSItM6cEIc3EwQkynAdo+DklkOHFBYm5xZnpEPlTjIpS4rzKIM0CIImM 0jy4XlhifMUoDvSKMK8eSBUPMKnCdb8CGswENPjN3lKQwSWJCCmpBsbJbSZ+nef52zkWpC/w sdYz8/m+w+LYpNo3qdIm672mJfFsU9y4lXO//P+2hJqZ26unLXvy7ZWLbG9PlGK5b+PEva8n +bDIv8raMkFq9638iPk+3I01Dw5fvL328JEClW1XGufJeTmeU5t87N9hs98812Qff5n7wf7G u03Fth8v7wla0vmHu+iOEktxRqKhFnNRcSIAjA2W7GcDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/yEOhRtSEPkKr1xRfKyg9esMJbq4
Cc: draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 14:43:20 -0000

Quoting Yaron Sheffer <yaronf.ietf@gmail.com>:
> .......
> This document proposes to add cryptographic authentication to LDP "all
> routers" Hello messages, which are transported as unicast UDP.
>
> • 5.1: Redefining HMAC (RFC 2104) is an extremely bad idea. This 
> reviewer does not have the appropriate background to critique the 
> proposed solution, but there must be an overwhelming reason to reopen
> cryptographic primitives.

They do seem to be using HMAC, even though without explicitly naming it 
so (5.1
and 5.2). Also, HMAC is referred to in the Normative References.

> • "The mechanism described herein is not perfect and does not need to be
> perfect." This is kind of vague, and would be better replaced by your
> security goals.

Concur. :-)

v2.23.0 | Report a Bug | By Email