IETF Logo Mail Archive

Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

Joe Touch <touch@isi.edu> Sun, 05 June 2011 22:29 UTC

Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A79399E8004 for <sidr@ietfa.amsl.com>; Sun, 5 Jun 2011 15:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOzfFnwXTzzK for <sidr@ietfa.amsl.com>; Sun, 5 Jun 2011 15:29:05 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by ietfa.amsl.com (Postfix) with ESMTP id 251D59E8006 for <sidr@ietf.org>; Sun, 5 Jun 2011 15:29:05 -0700 (PDT)
Received: from [172.20.0.222] (pc2.kyotoint1-unet.ocn.ne.jp [211.123.99.34]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id p55MSLFj008507 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Sun, 5 Jun 2011 15:28:32 -0700 (PDT)
Message-ID: <4DEC0305.1020102@isi.edu>
Date: Sun, 05 Jun 2011 15:28:21 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4DAF44AC.8060408@isi.edu> <BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com> <F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu> <01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net> <4DB592B3.3090805@isi.edu> <033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net> <4DB9A456.3060709@isi.edu> <BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com> <017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net> <BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com> <m21uzwr3tw.wl%randy@psg.com> <BANLkTimPnMfE1ii=6uwAckoFY0yUU=w43g@mail.gmail.com> <BANLkTinu8pxxCj4cdJzbS3z5h=8=s+U3Gw@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E006@EUSAACMS0701.eamcs.ericsson.se> <Pine.WNT.4.64.1106031624560.2148@SMURPHY-LT.columbia.ads.sparta.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E04A@EUSAACMS0701.eamcs.ericsson.se> <B! ANLkTi=OcqYbBReP+F+6e+mdqySEWPkq4Q@mail.gmail.com> <D1D8138DDF34B34B8BC68A11262D10790F6233E0E3@EUSAACMS0701.eamcs.ericsson.se> <8FFA5FF6-317C-4433-8629-369563A384FD@vpnc.org>
In-Reply-To: <8FFA5FF6-317C-4433-8629-369563A384FD@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: p55MSLFj008507
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: sidr@ietf.org, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jun 2011 22:29:05 -0000

Hi, all,

+1, with a caveat below...

On 6/4/2011 1:04 PM, Paul Hoffman wrote:
> On Jun 3, 2011, at 7:15 PM, Uma Chunduri wrote:
>
>> exactly how is MD5 the weakest link here? some particular words about the threat model + ability to subvert a running session which ships a few megabytes/minute around would be in order here.
>>
>> [Uma]
>>
>> 1. Wang, X., H. Yu, "How to break MD5 and other hash
>>              functions", Proc. IACR Eurocrypt 2005, Denmark
>> 2. RFC 4270
>
>> Wearing my co-author-of-4270 hat, let me state forcefully: invoking
> RFC 4270 or *any* current published work on MD5 does not answer the
> question of how MD5 is the weakest link here. Those are *unrelated* to
> an attack on the integrity of communication in draft-sidr-rpki-rtr.
> Collision attacks on MD5 and SHA-1 are, to date, unrelated to preimage
> attacks, and it is preimage attacks that you care about.
>
> On Jun 4, 2011, at 9:38 AM, Stephen Farrell wrote:
>
>> Trying to catch up with you all here.
>>
>>>  From reading the mail thread it seems to me that:
>>
>> - tcp-md5 is available but undesirable
>> - tcp-ao is desirable but unavailable so far
>> - ssh is available and slightly undesirable for
>>   performance reasons but desirable in
>>   security terms
>>
>> That would imply that an answer might be:
>>
>> MUST implement SSH; SHOULD implement TCP-AO and
>> MUST/SHOULD prefer TCP-AO over SSH if both
>> available
>>
>> Would that garner (rough) consensus?
>
> Another proposal that might be more likely to garner rough consensus
> would be: MUST implement TCP-MD5 [RFC2385]; SHOULD implement TCP-AO
> [RFC5925] (the official successor to TCP-MD5) as soon as possible; if
> both parties in the protocol support TCP-AO, they SHOULD use TCP-AO and
> SHOULD NOT use TCP-MD5. After we believe that there is lots of TCP-AO
> adoption, we revise the document and remove TCP-MD5 as an option.

IMO, "MUST AO, MAY MD5 if AO is not available" achieves this *without* a 
"MUST" that overrides the existing AO/MD5 advice in the AO RFC .

The net effect is, AFAICT, identical, and more like what you state above.

FWIW, I also thing it's a lot more tractable to expect a MD5/AO use than 
an SSH/AO use; the APIs of the former two are likley to be very similar, 
but not the latter.

Joe

v2.23.0 | Report a Bug | By Email