Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 04 June 2011 16:38 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AE7BE06C3 for <sidr@ietfa.amsl.com>; Sat, 4 Jun 2011 09:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sJ1-Vz2vOI5 for <sidr@ietfa.amsl.com>; Sat, 4 Jun 2011 09:38:39 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [134.226.32.56]) by ietfa.amsl.com (Postfix) with ESMTP id 30324E06C1 for <sidr@ietf.org>; Sat, 4 Jun 2011 09:38:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 78E84171C03; Sat, 4 Jun 2011 17:38:38 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1307205516; bh=/+WO3slI9HQl1C yMLmH8A0cM5kWUMWT7JYY7yipA3QA=; b=iz0fnAeXY5Sul8l9OB4JMnqWnhJuh9 kCdh8e+l93YYpnxO9t0qUOc1triUsO26pbeuWVOiOVmrAsIXpAzGBVsQdb9DTrKG CAHU7Hp0jROWGjXHMSZiGNj8mHkdkcw7+UTj7EThJxsVMSpBaaEALPMdS9n5M+ys W+3OJoqHH0Vs4dAGO9P0M3E8vVxwgFKwdJqOyVgR1TWbFP9lgAiUeIxRirjCyQhc uQfIF0C7Oh5w7Ple8FNWNP735kHDqzAvh/UXQdh6EuItTptANc85kGJyBGC1jyCV OYPnPzMzCM6uzTAo238X8+AG+uWrdO6ZPtwLdvAQTaiqtezOgnL+Vqxw==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id U3YgL90s8hw2; Sat, 4 Jun 2011 17:38:36 +0100 (IST)
Received: from [10.87.48.9] (unknown [86.45.54.169]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 7C663171D0D; Sat, 4 Jun 2011 17:38:35 +0100 (IST)
Message-ID: <4DEA5F8B.8060804@cs.tcd.ie>
Date: Sat, 04 Jun 2011 17:38:35 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Christopher Morrow <morrowc.lists@gmail.com>
References: <4DAF44AC.8060408@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net> <4DB9A456.3060709@isi.edu> <BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com> <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net> <BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com> <m21uzwr3tw.wl%randy@psg.com> <BANLkTimPnMfE1ii=6uwAckoFY0yUU=w43g@mail.gmail.com> <BANLkTinu8pxxCj4cdJzbS3z5h=8=s+U3Gw@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E006@EUSAACMS0701.eamcs.ericsson.se> <Pine.WNT.4.64.1106031624560.2148@SMURPHY-LT.columbia.ads.sparta.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E04A@EUSAACMS0701.eamcs.ericsson.se> <BANLkTi=OcqYbBReP+F+6e+mdqySEWPkq4Q@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E0E3@EUSAACMS0701.eamcs.ericsson.se> <BANLkTikqeHdq15P7yC1A6owtrKGBWQsKkQ@mail.gmail.co m>
In-Reply-To: <BANLkTikqeHdq15P7yC1A6owtrKGBWQsKkQ@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Sandra Murphy <Sandra.Murphy@sparta.com>, "sidr@ietf.org" <sidr@ietf.org>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2011 16:38:40 -0000
Hi all, Trying to catch up with you all here. >From reading the mail thread it seems to me that: - tcp-md5 is available but undesirable - tcp-ao is desirable but unavailable so far - ssh is available and slightly undesirable for performance reasons but desirable in security terms That would imply that an answer might be: MUST implement SSH; SHOULD implement TCP-AO and MUST/SHOULD prefer TCP-AO over SSH if both available Would that garner (rough) consensus? We really do want to deprecate tcp-md5. Cheers, Stephen. On 04/06/11 03:26, Christopher Morrow wrote: > On Fri, Jun 3, 2011 at 10:15 PM, Uma Chunduri <uma.chunduri@ericsson.com> wrote: >> >> >> -----Original Message----- >> From: christopher.morrow@gmail.com [mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow >> Sent: Friday, June 03, 2011 6:11 PM >> To: Uma Chunduri >> Cc: Sandra Murphy; stephen.farrell@cs.tcd.ie; sidr@ietf.org >> Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? >> >> On Fri, Jun 3, 2011 at 5:28 PM, Uma Chunduri <uma.chunduri@ericsson.com> wrote: >>> >>> >>> -----Original Message----- >>> From: Sandra Murphy [mailto:Sandra.Murphy@sparta.com] >>> Sent: Friday, June 03, 2011 1:43 PM >>> To: Uma Chunduri >>> Cc: sidr@ietf.org; Sean Turner; stephen.farrell@cs.tcd.ie >>> Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? >>> >>> >>> On Fri, 3 Jun 2011, Uma Chunduri wrote: >>> >>>> >>>> >>> .... >>> >>>> >>>> True, privacy through SSH is overkill but strong AUTH is *critical*, I feel: >>>> - TCP-MD5 should not be considered (as it is any ways deprecated >>>> and it's MD5) >>>> - TCP-AO has only slight advantage as it has less overhead than >>>> ipsec-AH even when >>>> deployed with manual keys >>>> - but it's better if it is "MUST support authentication of nodes >>>> with TCP-AO or ipsec-AH" because >>> >>> Just to be sure: >>> >>> Did you understand the part about implementations of TCP-AO and ipsec-AH not being available at present? >>> >>> I.e., you recognize this forces a delay in implementation of the protocol (and accept the consequent impact on deployment of the RPKI)? >>> >>> [Uma] Yes, I did. Even though operators don't like ipsec-AH today, it >>> is still deployed for OSPFv3 protection as that (of course now there are other drafts to mitigate complexity with reasonable trade-off). >>> >> >> So, speaking as just another guy on the bus here... it's not about 'dont like it' it's about "THE CODE ON THE ROUTER DOES NOT DO IPSEC" >> >> Keep in mind that a router is not a generic CPU + intel ethernet PCI card, and often the OS on it is optomized for a particular duty, in large iron routers it's NOT ipsec. >> >>> Problem with MD5 is, it can present the *weakest* link for the whole RPKI infa. >>> At least new infrastructure like RPKI should avoid deprecated stuff. >> >> exactly how is MD5 the weakest link here? some particular words about the threat model + ability to subvert a running session which ships a few megabytes/minute around would be in order here. >> >> [Uma] >> >> 1. Wang, X., H. Yu, "How to break MD5 and other hash >> functions", Proc. IACR Eurocrypt 2005, Denmark > > depends on creating 2 items to hash I believe? shows that if you do > the right thing for 2 very large items you create you can get a > collision in some instances. not picking random bits off the wire, not > relevant, move on. > >> 2. RFC 4270 > > talks about the above, not relevant. > >> >> 3. long back even OSPF, ISIS etc.. moved away from MD5 > > fear, uncertainty, doubt. > > we aren't talking about a permanent use of md5, we're talking about: > Use something that provides authentication/assurance NOW so we can > move forward, knowing full well we'll change to the better/required > solution when it's available in the right places. > > There's not a single AO implementation available today... it's DOA > until there is. (frankly it's kind of a failure that there aren't > widely deployed implementations of this... given all the time to > invent it and all) > >> 4. ... >> >> For that matter SHA1 is getting deprecated http://securitymusings.com/article/1587/algorithm-and-key-length-deprecation >> > > again, not relevant. > > please find something relevant that's not just fear mongering. Or, > alternately, find implementations of AO in the servers and routers > that matter. (if there are AO implementations w00t! we all win, until > then we spin) > > -chris > <regular guy socks==on> > >> >> Getting public keys from a server with a deprecated auth mechanism to verify RSA signature? >> it's obscure..and not sure why it's not considered weak. >> Well, one can still use and design systems around this if this is still seen adequate. >> >> -Uma >> >> >> >> >> -chris >> <just a guy> >> >>> -Uma >>> >>> >>> --Sandy, speaking as wg co-chair >>> >>> >>>> as both support >>>> - strong auth algos >>>> - algo agility >>>> - can be deployed with manual and auto key management >>>> (auto key probably required eventually, once with lot of >>>> connections at >>>> cache/global RPKI/server side and for automatic key >>>> changes periodically) >>>> - key changes for existing sessions >>>> >>>> One would get flexibility with this. >>>> Also Section 7 (page 16) >>>> "It is assumed that the router and cache have exchanged keys out of band by some reasonably secured means" >>>> This will be still applicable but only if TCP-AO/ipsce-AH are deployed with manual keys. >>>> >>>> 2 cents, >>>> -Uma >>>> >>>> >>>> _______________________________________________ >>>> sidr mailing list >>>> sidr@ietf.org >>>> https://www.ietf.org/mailman/listinfo/sidr >>>> >>> _______________________________________________ >>> sidr mailing list >>> sidr@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidr >>> >>
- [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Jared Mauch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Danny McPherson
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Smith, Donald
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Pradosh Mohapatra
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Geoff Huston
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Matthias Waehlisch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Kent
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Brian Weis
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Sandra Murphy
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Uma Chunduri
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Hannes Gredler
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Robert Raszuk
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr - t… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] TLS (Was: Re: WGLC draft-sidr-rpki-rtr… Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Stephen Farrell
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? John Scudder
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] draft-sidr-rpki-rtr Randy Bush
- Re: [sidr] draft-sidr-rpki-rtr Stewart Bryant
- Re: [sidr] draft-sidr-rpki-rtr t.petch
- Re: [sidr] draft-sidr-rpki-rtr Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Paul Hoffman
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Christopher Morrow
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Randy Bush
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? t.petch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch
- Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2? Joe Touch