Deprecating MD5 for LDP draft-nslag-mpls-deprecate-md5-04

Slides:

Advertisements

Similar presentations

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

RIP V2 CCNP S1(5), Chapter 4.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

CS Summer 2003 Lecture 15 MPLS Fault-Tolerance Architecture ( For details, see class notes)

CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.

Draft-akiya-mpls-lsp-ping-reply-mode-simple Nobo Akiya George Swallow Carlos Pignataro Loa Andersson Mach Chen Shaleen Saxena IETF 88, Vancouver, Canada.

SIP working group status Keith Drage, Dean Willis.

TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.

1 IPFIX Protocol Specifications IPFIX IETF-59 March 3, 2004 Benoit Claise Mark Fullmer Reinaldo Penno Paul Calato Stewart Bryant Ganesh Sadasivan.

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.

SIP working group IETF#70 Essential corrections Keith Drage.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Chapter 27 IPv6 Protocol.

Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

OSPF WG Cryptographic Algorithm Implementation Requirements for OSPF draft-bhatia-manral-crypto-req-ospf-00.txt Vishwas Manral, IPInfusion Manav Bhatia,

1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.

Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.

Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04.

Identity-Based Signatures for MANET Routing Protocols draft-dearlove-manet-ibs-00 Christopher Dearlove Presented by Ulrich Herberg.

RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.

ECC Design Team: Initial Report Brian Minard, Tolga Acar, Tim Polk November 8, 2006.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.

Doc.: IEEE /1147r1 Submission November 2009 David Halasz, AclaraSlide 1 Path Protection Date: Authors:

David B. Johnson Rice University Department of Computer Science DSR Draft Status Monarch Project 57th IETF.

19 March 2003Page 1 BGP Vulnerabilities Draft March 19, 2003 Sandra Murphy

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines Philip Matthews Alcatel-Lucent.

Mobile IP Security Konidala M. Divyan International Research Center for Information Security Network Security (ICE 615) Term Project – 2002 Autumn.

Network Management Security in distributed and remote network management protocols.

TICTOC -Topology-Discovery and Clock-Discovery

Requirements for LER Forwarding of IPv4 Option Packets

Connecting an Enterprise Network to an ISP Network

Residence Time Measurement draft-mirsky-mpls-residence-time-02

CSE 4905 IPsec.

Updated SBSP draft-birrane-dtn-sbsp-01.txt Edward Birrane

Chapter 18 IP Security  IP Security (IPSec)

RPSEC WG Issues with Routing Protocols security mechanisms

CSE 4905 IPsec II.

IS-IS WG IS-IS Cryptographic Authentication Requirements

IETF 55 IPv6 Working Group IPv6 Node Requirements

The need for better security considerations guidance

ITU-T Study Group 15 Update to IETF CCAMP

IPv6 Router Alert Option for MPLS OAM

Computer Security Security Concepts September 20, 2018

CSE 4095 Transport Layer Security TLS

John Scudder October 24, 2000 BGP Update John Scudder October 24, 2000.

draft-ipdvb-sec-01.txt ULE Security Requirements

IETF YANG Routing Types Update

IP-Spoofing and Source Routing Connections

Use of Ethernet Control Word RECOMMENDED

Proposal for Extensible Security

Encrypting DNS traffic

Outline Using cryptography in networks IPSec SSL and TLS.

1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.

Technical Issues with draft-ietf-mpls-bfd-directed

PW security measures PWE3 – 65th IETF 21 March 2005 Yaakov (J) Stein.

PW Control Word Stitching

An MPLS-Based Forwarding Plane for Service Function Chaining

draft-ietf-dtn-bpsec-06

Synonymous Flow Labels

PW Control Word Stitching

IETF-104 (Prague) DHC WG Next steps

Pseudowire And LDP-enabled Services (PALS) WG Status IETF 100 Singapore Co-Chairs: Stewart Bryant and Andy Malis

TICTOC WG Transporting PTP Messages (1588) over MPLS Networks

Presentation transcript:

Deprecating MD5 for LDP draft-nslag-mpls-deprecate-md5-04 Loa Andersson Stewart Bryant Andy Malis Nic Leymann George Swallow IETF 104

Some History RFC 3036 (LDP) was published in January 2001 Replaced by RFC 5036 in October 2007 Both specified the use of the TCP MD5 Signature Option for authenticity and integrity of LDP messages, to prevent against spoofing As far back as 1998, the IETF was aware of problems with MD5 (see RFC 2385, for example) RFC 5925 (June 2010) deprecated the TCP MD5 Signature option and replaced it with the TCP Authentication Option (TCP-AO) Cryptographic algorithms specified separately (RFC 5926) to allow them to be easily updated RFC 6952 (May 2013) recommended that TCP-based routing protocols move from MD5 to TCP-AO RFC 7454 (February 2015) specified the use of TCP-AO with BGP But did not specify which cryptographic algorithm to use However, LDP continues to use MD5

draft-nslag-mpls-deprecate-md5 Goal is to update LDP to also replace MD5 with TCP-AO However, the authors are LDP experts, not security experts, and thus have some questions How successful has TCP-AO been for BGP? Is it in use in the field? Which crypto algorithm should be chosen as the default? We would want one that is reasonably better than MD5 (otherwise, why bother), but can be implemented on a typical router processor, and which will provide adequate security without significantly degrading the convergence time of an LSR Does anyone really care? Does anyone currently use LDP with MD5? We’re looking for advice on how to go forward