Re: [tcpm] SHA-2 auth draft on TCP-AO
Gregory Lebovitz <gregory.ietf@gmail.com> Tue, 30 September 2014 22:54 UTC
Return-Path: <gregory.ietf@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E023B1ACC86 for <tcpm@ietfa.amsl.com>; Tue, 30 Sep 2014 15:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7l9cslnUKXb for <tcpm@ietfa.amsl.com>; Tue, 30 Sep 2014 15:54:40 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF1D11ABD37 for <tcpm@ietf.org>; Tue, 30 Sep 2014 15:53:28 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id b6so5505101lbj.31 for <tcpm@ietf.org>; Tue, 30 Sep 2014 15:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vZ2UoI9rNqu0YRaxrZ//L1S3qW3gYqr0EOUvQgv/19A=; b=fjsIMzTGG56e/t8dKoZVpReP3Bs9/cKfupIjyOWvf3Mr/SpKizdJiVtgr6MT7f9U9n LIWyQM//gWuzGI71w0zsBy4PbEB2zj2KNowDS9w/mEcU9VRFAZU/r/Cn3Py1s7Mp6rkR xZKVxBIOdyxVFlRVPp87R/7OayX9voMWfNGperEsL/JkqmQBcmRuxq0WrOjJTQPX6WeV sI/kKHELA4gYPq9RP66mzXdEoLZ4AEtWymzq3TEb0KWP1QSFgfyEV9mveg0uDnI2Adm0 HKa+VoTofLGyfN0GIgE/OWaihCt/4j+Qnx4SgFPTfCgpUbK5wfGdW2ZZRdf9z2QGDTl7 HOTg==
MIME-Version: 1.0
X-Received: by 10.152.29.129 with SMTP id k1mr51040230lah.81.1412117606960; Tue, 30 Sep 2014 15:53:26 -0700 (PDT)
Received: by 10.112.133.138 with HTTP; Tue, 30 Sep 2014 15:53:26 -0700 (PDT)
In-Reply-To: <53A1CCCF.20804@isi.edu>
References: <CFB37264.5CEF3%sua@cisco.com> <538E0FCE.8030905@isi.edu> <CFC77DDE.5FF0B%sua@cisco.com> <7940AE67-BB4B-4A06-A277-465940C469B3@cisco.com> <53A1CCCF.20804@isi.edu>
Date: Tue, 30 Sep 2014 15:53:26 -0700
Message-ID: <CALG4KoYWASLkOsZ=YMfwmN-OpRtnXav4cHL_jOYzMiMc_koMgw@mail.gmail.com>
From: Gregory Lebovitz <gregory.ietf@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary="089e0160b7da58141d05045040fa"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/X0ZWCh37h6sZc3pBp38yVQ52ZCg
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, "Rohit M (rrohit)" <rrohit@cisco.com>, "Sujeet Nayak A (sua)" <sua@cisco.com>
Subject: Re: [tcpm] SHA-2 auth draft on TCP-AO
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 22:54:43 -0000
Folks, I haven't been monitoring the -AO work for a few years now, but happened to be scanning and see this thread today. Pls excuse the late entry. Comments inline... On Wed, Jun 18, 2014 at 10:30 AM, Joe Touch <touch@isi.edu> wrote: > > > On 6/18/2014 9:12 AM, Brian Weis wrote: > >> Hi Joe, >> >> On Jun 18, 2014, at 5:04 AM, Sujeet Nayak A (sua) <sua@cisco.com> wrote: >> >> Hi Joe, >>> Thanks a lot of your quick and valuable comments: >>> >>> This doc should, AFAICT, update RFC 5926 >>>>> >>>> >> We're proposing updates to the IANA registries to add new >> algorithms,but it is not our goal to change the requirements language in >> RFC 5926. >> > > RFC 5926 indicates the security algs for TCP-AO; this doc proposes to > augment that list. Yes, that's captured by the IANA registry, but the way > RFC 5926 is written appears to indicate that additions to that registry > should UPDATE that RFC. If the WG or IESG sees otherwise, that's fine with > me. As its primary author/editor, and with the agreement of the TCPM WG and Security Directorate at the time, the goal of creating 5926 was that it would be the "short and sweet pluggable module" for crypto algos for 5925. This allowed any implementor of 5925 to have one and only one doc to read re: specified crypto algos AT ANY GIVEN POINT IN HISTORY. The idea was that when it was time to add another algo, like SHA2 (it was the one in mind at that time, in fact), or to deprecate an algo, all one would need to do is a (relatively painless) revision to 5926. I recommend we keep it that way, rather than take any short cuts that would result in spinning out additional RFC riders to 5925. All that needs to be done for a 5926bis is: 1) Add the new Auth Algo & Corresponding KDF to the tables in sect 2.2 2) Insert new KDF into the bullet list in sect 3.1.1 intro 3) insert new sect 3.1.1.x with the new KDF implementation details 4) insert new Auth Algo into bullet list in intro of sect 3.2 5) insert new sect 3.2.x with new Auth Algo implementation details 6) add any new Auth Algo / KDF security considerations to SCs section, if applicable 7) add new line to IANA table in sect 5 Pretty simple, really. If you'll provide the details above in an email to the list, I'd be happy to place them into the document and send out an update, adding the contributor (Rohit?) as an author. Let me know, Gregory > > > There isn't any compelling reason to change the existing algorithm >> requirements as both algorithms remain acceptable. We should clarify >> that the algorithm recommendations are really only relevant when this >> Internet-Draft is implemented. An implementation of TCP-AO still is >> required to comply with RFC 5926, but if it also implements this draft >> then it would need to pay attention to the algorithm recommendations in >> this draft. >> > > That's how all RFCs work, though. It would certainly be useful to be more > clear about the impact of this doc - i.e., that it adds additional optional > algorithms, rather than deprecating existing ones. > > Joe > > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm > -- ---- IETF related email from Gregory M. Lebovitz
- [tcpm] SHA-2 auth draft on TCP-AO Sujeet Nayak A (sua)
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Sujeet Nayak A (sua)
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brandon Williams
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Gregory Lebovitz