From ylee@huawei.com Tue May 4 14:45:54 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C51333A6868 for ; Tue, 4 May 2010 14:45:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.926 X-Spam-Level: X-Spam-Status: No, score=-0.926 tagged_above=-999 required=5 tests=[AWL=-0.928, BAYES_50=0.001, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nEFwX2DXTpsc for ; Tue, 4 May 2010 14:45:49 -0700 (PDT) Received: from usaga02-in.huawei.com (usaga02-in.huawei.com [206.16.17.70]) by core3.amsl.com (Postfix) with ESMTP id 36EDC28C63A for ; Tue, 4 May 2010 13:49:41 -0700 (PDT) Received: from huawei.com (localhost [127.0.0.1]) by usaga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L1W002J6XUEVN@usaga02-in.huawei.com> for rtg-dir@ietf.org; Tue, 04 May 2010 13:49:27 -0700 (PDT) Received: from L73682 ([10.124.12.75]) by usaga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L1W00L1FXUE6O@usaga02-in.huawei.com> for rtg-dir@ietf.org; Tue, 04 May 2010 13:49:26 -0700 (PDT) Date: Tue, 04 May 2010 15:49:26 -0500 From: Young Lee To: rtg-ads@tools.ietf.org Message-id: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Mailer: Microsoft Office Outlook 11 Content-type: multipart/alternative; boundary="Boundary_(ID_0dVm9N96/NaAMLPfrfXxHg)" Thread-index: Acrry0iJ8D0jAD5lTWub7J+XBQQ7Lw== Cc: rtg-dir@ietf.org, draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org Subject: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2010 21:45:54 -0000 This is a multi-part message in MIME format. --Boundary_(ID_0dVm9N96/NaAMLPfrfXxHg) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://www.ietf.org/iesg/directorate/routing.html Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt Reviewer: Young Lee Review Date: 4 May, 2010 IETF LC End Date: 10 May, 2010 Intended Status: Informational Summary: I have some minor concerns about this document that I think should be resolved before publication. Comments: This document is clearly written and easy to understand. Major Issues: No major issues found. Minor Issues: Section 1: Can you give a bit more explanation why the MD5 digest algorithm is not suitable for future implications? Section 1.1: At the end of the first paragraph, can you give the reference for the literature on the discovery of feasible collision attacks against MD4, etc.? Section 3: In the second paragraph, what is ESP? It would be helpful to include Terminology Section upfront to describe all the acronyms. Section 3.1: In the first paragraph, what is SA? Nits: Abstract s/router ./router. --Boundary_(ID_0dVm9N96/NaAMLPfrfXxHg) Content-type: text/html; charset=us-ascii Content-transfer-encoding: quoted-printable

Hello,

I have been selected as the Routing Directorate reviewer for this draft. The = Routing Directorate seeks to review all routing or routing-related drafts as = they pass through IETF last call and IESG review. The purpose of the review is to = provide assistance to the Routing ADs. For more information about the Routing Directorate, please see = http://www.ietf.org/iesg/directorate/routing.html

Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call = comments that you receive, and strive to resolve them through discussion or by = updating the draft.

Document: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt=

Reviewer: Young Lee
Review Date: 4 May, 2010
IETF LC End Date: 10 May, 2010
Intended Status: Informational

Summary:
I have some minor concerns about this document that I think should be = resolved before publication.

Comments:
This document is clearly written and easy to understand.

Major Issues:
No major issues found.

Minor Issues:
Section 1: Can you give a bit more explanation why the MD5 digest = algorithm is not suitable for future implications?

Section 1.1: At the end of the first paragraph, can you give the reference for = the literature on the discovery of feasible collision attacks against MD4, etc.? =

Section 3: In the second paragraph, what is ESP? It would be helpful to include Terminology Section upfront to describe all the acronyms. =

Section 3.1: In the first paragraph, what is SA?

Nits:
Abstract

s/router ./router.

 

--Boundary_(ID_0dVm9N96/NaAMLPfrfXxHg)-- From manav.bhatia@alcatel-lucent.com Tue May 4 19:39:53 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16B1D3A69C3 for ; Tue, 4 May 2010 19:39:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q47tEmD2y6KE for ; Tue, 4 May 2010 19:39:52 -0700 (PDT) Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id E35AB3A69AD for ; Tue, 4 May 2010 19:39:51 -0700 (PDT) Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o452dP44019911 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 4 May 2010 21:39:27 -0500 (CDT) Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o452dMaK012745 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 5 May 2010 08:09:22 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.59]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Wed, 5 May 2010 08:09:22 +0530 From: "Bhatia, Manav (Manav)" To: Young Lee , "rtg-ads@tools.ietf.org" Date: Wed, 5 May 2010 08:09:20 +0530 Thread-Topic: RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt Thread-Index: Acrry0iJ8D0jAD5lTWub7J+XBQQ7LwAL8hMQ Message-ID: <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> In-Reply-To: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37 X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33 X-Mailman-Approved-At: Tue, 04 May 2010 19:48:24 -0700 Cc: "rtg-dir@ietf.org" , "draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org" Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2010 02:39:53 -0000 Hi Young, Thanks for the review! > Minor Issues:=20 > Section 1: Can you give a bit more explanation why the MD5 digest algorit= hm is not suitable for future implications?=20 I think there is enough evidence about attacks on MD5. Though we are still = far from direct impact on routing protocols there is clear consensus in IET= F about deprecating its use towards a more secure algorithm. You could look= at two recent RFCs that add support for HMAC-SHA for OSPF [RFC 5709] and I= SIS [RFC 5310]. > Section 1.1: At the end of the first paragraph, can you give the=20 > reference for the literature on the discovery of feasible collision attac= ks against MD4, etc.?=20 Will add a reference in the next revision. [REF] Xiaoyun Wang, Xuejia Lai, Dengguo Feng and Hongbo Yu, "Collisions for= hash functions MD4, MD5, HAVAL-128, and RIPEMD", Crypto 2004 Rump Session >=20 > Section 3: In the second paragraph, what is ESP? It would be helpful to i= nclude Terminology Section upfront to describe all the acronyms.=20 Encapsulating Security Payload (ESP) [RFC4303] > > Section 3.1: In the first paragraph, what is SA?=20 Security Association > > Nits:=20 > Abstract > s/router ./router. Will do. Thanks, Manav =20 From ylee@huawei.com Mon May 10 13:49:23 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F8003A6C90 for ; Mon, 10 May 2010 13:49:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.617 X-Spam-Level: X-Spam-Status: No, score=-0.617 tagged_above=-999 required=5 tests=[AWL=-0.618, BAYES_50=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id upUtcn3jlFGE for ; Mon, 10 May 2010 13:49:22 -0700 (PDT) Received: from usaga04-in.huawei.com (usaga04-in.huawei.com [206.16.17.180]) by core3.amsl.com (Postfix) with ESMTP id DA9C13A6A99 for ; Mon, 10 May 2010 13:43:35 -0700 (PDT) Received: from huawei.com (usaga04-in [172.18.4.101]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L2800BJ91KCOP@usaga04-in.huawei.com> for rtg-dir@ietf.org; Mon, 10 May 2010 15:43:24 -0500 (CDT) Received: from L73682 ([10.124.12.75]) by usaga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L2800HJJ1KAKP@usaga04-in.huawei.com> for rtg-dir@ietf.org; Mon, 10 May 2010 15:43:24 -0500 (CDT) Date: Mon, 10 May 2010 15:43:21 -0500 From: Young Lee In-reply-to: <4BE70F8E.6090303@bogus.com> To: 'Joel Jaeggli' , "'Bhatia, Manav (Manav)'" Message-id: <001b01caf081$6ef3f690$4b0c7c0a@china.huawei.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-Mailer: Microsoft Office Outlook 11 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Thread-index: AcrvvoD3KZWfFRoeRYKlN2Rg9tMy+QAwPtFA References: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> <4BE70F8E.6090303@bogus.com> Cc: rtg-dir@ietf.org, draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org, rtg-ads@tools.ietf.org Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2010 20:49:23 -0000 Hi Joel and Bhatia, I don't have any more issue on MD5. Thanks for your explanation. It may help the reader if you would say: "The MD5 digest algorithm was not designed to be used in the way most routing protocols are using it which has potentially serious future implications. There have been recent RFCs that support more secure algorithms than MD5 such as HMAC-SHA for OSPF [RFC 5709] and ISIS [RFC 5310], respectively." Best Regards, Young -----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Sunday, May 09, 2010 2:40 PM To: Bhatia, Manav (Manav) Cc: Young Lee; rtg-ads@tools.ietf.org; rtg-dir@ietf.org; draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org Subject: Re: RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt On 05/04/2010 07:39 PM, Bhatia, Manav (Manav) wrote: > Hi Young, > > Thanks for the review! > >> Minor Issues: >> Section 1: Can you give a bit more explanation why the MD5 digest algorithm is not suitable for future implications? > > I think there is enough evidence about attacks on MD5. Though we are still far from direct impact on routing protocols there is clear consensus in IETF about deprecating its use towards a more secure algorithm. You could look at two recent RFCs that add support for HMAC-SHA for OSPF [RFC 5709] and ISIS [RFC 5310]. the reading for the security area directors (pasi) was that recommendation to avoid using md5 is sensible notwithstanding a lack of specific circumstances in which it is possible to subvert. >> Section 1.1: At the end of the first paragraph, can you give the >> reference for the literature on the discovery of feasible collision attacks against MD4, etc.? > > Will add a reference in the next revision. > > [REF] Xiaoyun Wang, Xuejia Lai, Dengguo Feng and Hongbo Yu, "Collisions for hash functions MD4, MD5, HAVAL-128, and RIPEMD", Crypto 2004 Rump Session > >> >> Section 3: In the second paragraph, what is ESP? It would be helpful to include Terminology Section upfront to describe all the acronyms. > > Encapsulating Security Payload (ESP) [RFC4303] > >> >> Section 3.1: In the first paragraph, what is SA? > > Security Association > >> >> Nits: >> Abstract >> s/router ./router. > > Will do. > > Thanks, Manav > > From joelja@bogus.com Sun May 9 14:08:52 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2624B3A68E4 for ; Sun, 9 May 2010 14:08:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.12 X-Spam-Level: X-Spam-Status: No, score=-0.12 tagged_above=-999 required=5 tests=[AWL=-0.740, BAYES_50=0.001, RCVD_IN_SORBS_WEB=0.619] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52cO13jiR2RO for ; Sun, 9 May 2010 14:08:51 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [147.28.0.81]) by core3.amsl.com (Postfix) with ESMTP id 580D93A6822 for ; Sun, 9 May 2010 14:08:51 -0700 (PDT) Received: from [192.168.2.101] (m420536d0.tmodns.net [208.54.5.66]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id o49L83G5007562 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sun, 9 May 2010 21:08:08 GMT (envelope-from joelja@bogus.com) Message-ID: <4BE70F8E.6090303@bogus.com> Date: Sun, 09 May 2010 12:39:58 -0700 From: Joel Jaeggli User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Bhatia, Manav (Manav)" References: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Sun, 09 May 2010 21:08:11 +0000 (UTC) X-Mailman-Approved-At: Fri, 14 May 2010 08:34:50 -0700 Cc: "rtg-dir@ietf.org" , "draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org" , Young Lee , "rtg-ads@tools.ietf.org" Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2010 21:08:52 -0000 On 05/04/2010 07:39 PM, Bhatia, Manav (Manav) wrote: > Hi Young, > > Thanks for the review! > >> Minor Issues: >> Section 1: Can you give a bit more explanation why the MD5 digest algorithm is not suitable for future implications? > > I think there is enough evidence about attacks on MD5. Though we are still far from direct impact on routing protocols there is clear consensus in IETF about deprecating its use towards a more secure algorithm. You could look at two recent RFCs that add support for HMAC-SHA for OSPF [RFC 5709] and ISIS [RFC 5310]. the reading for the security area directors (pasi) was that recommendation to avoid using md5 is sensible notwithstanding a lack of specific circumstances in which it is possible to subvert. >> Section 1.1: At the end of the first paragraph, can you give the >> reference for the literature on the discovery of feasible collision attacks against MD4, etc.? > > Will add a reference in the next revision. > > [REF] Xiaoyun Wang, Xuejia Lai, Dengguo Feng and Hongbo Yu, "Collisions for hash functions MD4, MD5, HAVAL-128, and RIPEMD", Crypto 2004 Rump Session > >> >> Section 3: In the second paragraph, what is ESP? It would be helpful to include Terminology Section upfront to describe all the acronyms. > > Encapsulating Security Payload (ESP) [RFC4303] > >> >> Section 3.1: In the first paragraph, what is SA? > > Security Association > >> >> Nits: >> Abstract >> s/router ./router. > > Will do. > > Thanks, Manav > > From manav.bhatia@alcatel-lucent.com Mon May 10 14:57:33 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6C13B3A6801 for ; Mon, 10 May 2010 14:57:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.555 X-Spam-Level: X-Spam-Status: No, score=-0.555 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyJGnuGeqo8u for ; Mon, 10 May 2010 14:57:32 -0700 (PDT) Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id D50843A6C00 for ; Mon, 10 May 2010 14:57:30 -0700 (PDT) Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o4ALvCmY007942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 10 May 2010 16:57:14 -0500 (CDT) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o4ALv9jC026787 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 11 May 2010 03:27:09 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.59]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Tue, 11 May 2010 03:27:09 +0530 From: "Bhatia, Manav (Manav)" To: Young Lee , "'Joel Jaeggli'" Date: Tue, 11 May 2010 03:27:09 +0530 Thread-Topic: RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt Thread-Index: AcrvvoD3KZWfFRoeRYKlN2Rg9tMy+QAwPtFAAAL5XmA= Message-ID: <7C362EEF9C7896468B36C9B79200D8350CCE8B9764@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> <4BE70F8E.6090303@bogus.com> <001b01caf081$6ef3f690$4b0c7c0a@china.huawei.com> In-Reply-To: <001b01caf081$6ef3f690$4b0c7c0a@china.huawei.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33 X-Mailman-Approved-At: Fri, 14 May 2010 08:34:50 -0700 Cc: "rtg-dir@ietf.org" , "draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org" , "rtg-ads@tools.ietf.org" Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2010 21:57:33 -0000 Hi Young, Will add this in the next revision. Joel - Do we come out with the next revision now, or do we do it after the = IESG review? Cheers, Manav=20 > -----Original Message----- > From: Young Lee [mailto:ylee@huawei.com]=20 > Sent: Tuesday, May 11, 2010 2.13 AM > To: 'Joel Jaeggli'; Bhatia, Manav (Manav) > Cc: rtg-ads@tools.ietf.org; rtg-dir@ietf.org;=20 > draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org > Subject: RE: RtgDir review:=20 > draft-ietf-opsec-routing-protocols-crypto-issues-04.txt >=20 > Hi Joel and Bhatia, >=20 > I don't have any more issue on MD5. Thanks for your=20 > explanation. It may help > the reader if you would say: >=20 > "The MD5 digest algorithm was not designed to be used in the way most > routing protocols are using it which has potentially serious future > implications. There have been recent RFCs that support more secure > algorithms than MD5 such as HMAC-SHA for OSPF [RFC 5709] and ISIS [RFC > 5310], respectively."=20 >=20 > Best Regards, > Young >=20 > -----Original Message----- > From: Joel Jaeggli [mailto:joelja@bogus.com]=20 > Sent: Sunday, May 09, 2010 2:40 PM > To: Bhatia, Manav (Manav) > Cc: Young Lee; rtg-ads@tools.ietf.org; rtg-dir@ietf.org; > draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org > Subject: Re: RtgDir review: > draft-ietf-opsec-routing-protocols-crypto-issues-04.txt >=20 >=20 >=20 > On 05/04/2010 07:39 PM, Bhatia, Manav (Manav) wrote: > > Hi Young, > >=20 > > Thanks for the review! > >=20 > >> Minor Issues:=20 > >> Section 1: Can you give a bit more explanation why the MD5 digest > algorithm is not suitable for future implications?=20 > >=20 > > I think there is enough evidence about attacks on MD5.=20 > Though we are still > far from direct impact on routing protocols there is clear=20 > consensus in IETF > about deprecating its use towards a more secure algorithm.=20 > You could look at > two recent RFCs that add support for HMAC-SHA for OSPF [RFC=20 > 5709] and ISIS > [RFC 5310]. >=20 > the reading for the security area directors (pasi) was that > recommendation to avoid using md5 is sensible notwithstanding=20 > a lack of > specific circumstances in which it is possible to subvert. >=20 > >> Section 1.1: At the end of the first paragraph, can you give the=20 > >> reference for the literature on the discovery of feasible collision > attacks against MD4, etc.?=20 > >=20 > > Will add a reference in the next revision. > >=20 > > [REF] Xiaoyun Wang, Xuejia Lai, Dengguo Feng and Hongbo Yu,=20 > "Collisions > for hash functions MD4, MD5, HAVAL-128, and RIPEMD", Crypto 2004 Rump > Session > >=20 > >> > >> Section 3: In the second paragraph, what is ESP? It would=20 > be helpful to > include Terminology Section upfront to describe all the acronyms.=20 > >=20 > > Encapsulating Security Payload (ESP) [RFC4303] > >=20 > >> > >> Section 3.1: In the first paragraph, what is SA?=20 > >=20 > > Security Association > >=20 > >> > >> Nits:=20 > >> Abstract > >> s/router ./router. > >=20 > > Will do. > >=20 > > Thanks, Manav > > =20 > >=20 >=20 > = From joelja@bogus.com Mon May 10 19:10:18 2010 Return-Path: X-Original-To: rtg-dir@core3.amsl.com Delivered-To: rtg-dir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 190673A686D for ; Mon, 10 May 2010 19:10:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.026 X-Spam-Level: X-Spam-Status: No, score=-2.026 tagged_above=-999 required=5 tests=[AWL=0.573, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ERWgZIYH1Zqp for ; Mon, 10 May 2010 19:10:13 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [147.28.0.81]) by core3.amsl.com (Postfix) with ESMTP id 8EFAC28C0D6 for ; Mon, 10 May 2010 19:10:10 -0700 (PDT) Received: from [192.168.1.151] (c-98-234-104-156.hsd1.ca.comcast.net [98.234.104.156]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id o4B29e8P006887 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Tue, 11 May 2010 02:09:41 GMT (envelope-from joelja@bogus.com) Message-ID: <4BE8BC63.1010305@bogus.com> Date: Mon, 10 May 2010 19:09:39 -0700 From: Joel Jaeggli User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Bhatia, Manav (Manav)" References: <004601caebcb$48df90a0$4b0c7c0a@china.huawei.com> <7C362EEF9C7896468B36C9B79200D8350CCE7C07FC@INBANSXCHMBSA1.in.alcatel-lucent.com> <4BE70F8E.6090303@bogus.com> <001b01caf081$6ef3f690$4b0c7c0a@china.huawei.com> <7C362EEF9C7896468B36C9B79200D8350CCE8B9764@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350CCE8B9764@INBANSXCHMBSA1.in.alcatel-lucent.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Tue, 11 May 2010 02:09:43 +0000 (UTC) X-Mailman-Approved-At: Fri, 14 May 2010 08:34:50 -0700 Cc: "rtg-dir@ietf.org" , "draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org" , Young Lee , "rtg-ads@tools.ietf.org" Subject: Re: [RTG-DIR] RtgDir review: draft-ietf-opsec-routing-protocols-crypto-issues-04.txt X-BeenThere: rtg-dir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Routing Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2010 02:10:18 -0000 given the impact of the proposed text I think it can wait for auth48 unless somebody on the on the iesg thinks otherwise. joel On 05/10/2010 02:57 PM, Bhatia, Manav (Manav) wrote: > Hi Young, > > Will add this in the next revision. > > Joel - Do we come out with the next revision now, or do we do it after the IESG review? > > Cheers, Manav > >> -----Original Message----- >> From: Young Lee [mailto:ylee@huawei.com] >> Sent: Tuesday, May 11, 2010 2.13 AM >> To: 'Joel Jaeggli'; Bhatia, Manav (Manav) >> Cc: rtg-ads@tools.ietf.org; rtg-dir@ietf.org; >> draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org >> Subject: RE: RtgDir review: >> draft-ietf-opsec-routing-protocols-crypto-issues-04.txt >> >> Hi Joel and Bhatia, >> >> I don't have any more issue on MD5. Thanks for your >> explanation. It may help >> the reader if you would say: >> >> "The MD5 digest algorithm was not designed to be used in the way most >> routing protocols are using it which has potentially serious future >> implications. There have been recent RFCs that support more secure >> algorithms than MD5 such as HMAC-SHA for OSPF [RFC 5709] and ISIS [RFC >> 5310], respectively." >> >> Best Regards, >> Young >> >> -----Original Message----- >> From: Joel Jaeggli [mailto:joelja@bogus.com] >> Sent: Sunday, May 09, 2010 2:40 PM >> To: Bhatia, Manav (Manav) >> Cc: Young Lee; rtg-ads@tools.ietf.org; rtg-dir@ietf.org; >> draft-ietf-opsec-routing-protocols-crypto-issues.all@tools.ietf.org >> Subject: Re: RtgDir review: >> draft-ietf-opsec-routing-protocols-crypto-issues-04.txt >> >> >> >> On 05/04/2010 07:39 PM, Bhatia, Manav (Manav) wrote: >>> Hi Young, >>> >>> Thanks for the review! >>> >>>> Minor Issues: >>>> Section 1: Can you give a bit more explanation why the MD5 digest >> algorithm is not suitable for future implications? >>> >>> I think there is enough evidence about attacks on MD5. >> Though we are still >> far from direct impact on routing protocols there is clear >> consensus in IETF >> about deprecating its use towards a more secure algorithm. >> You could look at >> two recent RFCs that add support for HMAC-SHA for OSPF [RFC >> 5709] and ISIS >> [RFC 5310]. >> >> the reading for the security area directors (pasi) was that >> recommendation to avoid using md5 is sensible notwithstanding >> a lack of >> specific circumstances in which it is possible to subvert. >> >>>> Section 1.1: At the end of the first paragraph, can you give the >>>> reference for the literature on the discovery of feasible collision >> attacks against MD4, etc.? >>> >>> Will add a reference in the next revision. >>> >>> [REF] Xiaoyun Wang, Xuejia Lai, Dengguo Feng and Hongbo Yu, >> "Collisions >> for hash functions MD4, MD5, HAVAL-128, and RIPEMD", Crypto 2004 Rump >> Session >>> >>>> >>>> Section 3: In the second paragraph, what is ESP? It would >> be helpful to >> include Terminology Section upfront to describe all the acronyms. >>> >>> Encapsulating Security Payload (ESP) [RFC4303] >>> >>>> >>>> Section 3.1: In the first paragraph, what is SA? >>> >>> Security Association >>> >>>> >>>> Nits: >>>> Abstract >>>> s/router ./router. >>> >>> Will do. >>> >>> Thanks, Manav >>> >>> >> >>