Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd +1-508-786-7554

Slides:



Advertisements
Similar presentations
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Advertisements

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.
11 Authentication Algorithm Trade Study CCSDS Security WG Fall 2005 Atlanta, GA USA Howard Weiss NASA/JPL/SPARTA September.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CMS Advanced Electronic Signatures (CAdES) Target Category: Informational Intended to update and replace : RFC 3126 IETF Meeting Paris - August 2005 Denis.
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:
TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
Chapter 17 Domain Name System
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
INRIA Rhône-Alpes - Planète research group Reed-Solomon FEC I-D LDPC-* FEC I-D TESLA I-D Simple-auth I-D IETF 70 th – Vancouver meeting, November 2007.
IETF Trade WG Adelaide, South Australia 29 March 2000 Donald E. Eastlake, 3rd
Simple Authentication schemes for ALC and NORM draft-ietf-rmt-simple-auth-for-alc-norm-00 IETF 73 – Minneapolis, November 2008 Vincent Roca (INRIA)
Chapter 21 Public-Key Cryptography and Message Authentication.
July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna
1 Authentication Algorithm Document Discussions CCSDS Security Working Group Fall 2007 Meeting 3-5 October 2007 ESA/ESOC, Darmstadt Germany (Hotel am Bruchsee,
EAI WG meeting IETF-65, March 20, Agenda 17:40 Welcome, blue sheet, scribe, agenda bashing 17:50 Review of WG charter (approved) 17:55 Problem/framing:
4395bis irireg Tony Hansen, Larry Masinter, Ted Hardie IETF 82, Nov 16, 2011.
This is the DNSEXT Working Group Minneapolis IETF 62
OSPF WG – IETF 67 OSPF WG Document Status or “You can bring a Horse to Water …” Rohit Dube/Consultant Acee Lindem/Cisco Systems.
OSPF WG – IETF 69 - Chicago OSPF WG Document Abhay Roy/Cisco Systems Acee Lindem/Redback Networks.
Draft-huston-sidr-rfc6490-bis Geoff Huston Slide 1/6.
IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.
SonOf3039 Status Russ Housley Security Area Director.
11 Authentication Algorithms Discussions CCSDS Security WG Winter 2007 Colorado Springs, Colorado USA Howard Weiss NASA/JPL/SPARTA
Slide 1 July 2006, Montreal, QuebecIETF DNSEXT 2929bis Donald E. Eastlake 3 rd
November 20, 2002IETF 55 - Atlanta1 VPIM Voice Profile for Internet Mail Mailing list: To subscribe: send.
MPTCP Protocol – Updates draft-ietf-mptcp-multiaddressed-03 Alan Ford, Costin Raiciu, Mark Handley, Olivier Bonaventure.
Design Guidelines Thursday July 26, 2007 Bernard Aboba IETF 69 Chicago, IL.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
Identity-Based Signatures for MANET Routing Protocols draft-dearlove-manet-ibs-00 Christopher Dearlove Presented by Ulrich Herberg.
November 2006IETF DNSEXT WG Cookies1 DNS Cookies draft-eastlake-dnsext-cookies-01.txt Donald E. Eastlake 3 rd
6LoWPAN Meeting 66 IETF Dallas Format Document changes July 11, 2006.
S/MIME Working Group Status Russ Housley November 2002 PLEASE SIGN THE BLUE SHEET.
Hash Algorithms Ch 12 of Cryptography and Network Security - Third Edition by William Stallings Modified from lecture slides by Lawrie Brown CIM3681 :
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy.
Slide 1 November 2005, Vancouver, BCIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd
SIEVE Mail Filtering WG IETF 70, Vancouver WG Chairs: Cyrus Daboo, Alexey Melnikov Mailing List: Jabber:
60 Draft Policy ARIN NRPM 4 (IPv4) Policy Cleanup.
[lafur Guxmundsson DNSEXT co-chair
DNS Cookies draft-eastlake-dnsext-cookies-00.txt
Other DKIM-Related Drafts
IS-IS WG IS-IS Cryptographic Authentication Requirements
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Donald E. Eastlake 3rd TSIG SHA etc. Donald E. Eastlake 3rd March.
PW Setup & Maintenance Using LDP ATM Encapsulation
IETF status of XML Security
Resource Certificate Profile
STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,
draft-rodrigueznatal-lisp-vendor-lcaf-00 IETF 99 - Prague
STIR WG IETF-99 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-00) July, 2017 Ray P. Singh, Martin Dolly, Subir Das, and An.
Outline Using cryptography in networks IPSec SSL and TLS.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
Global Grid Forum (GGF) Orientation
draft-ietf-dtn-bpsec-06
Extended BFD draft-mirmin-bfd-extended
Handling YANG Revisions – Discussion Kickoff
TRILL Header Extension Improvements
IETF 87 DHC WG Berlin, Germany Thursday, 1 August, 2013
Presentation transcript:

Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd

Slide 2 August 2005, Paris, FranceIETF DNSEXT Contents Pretty Quick Items –draft-ietf-dnsext-tsig-sha-04.txt –draft-ietf-dnsext-ecc-key-06.txt –draft-ietf-dnsext-rfc2536bis-dsa-06.txt –draft-ietf-dnsext-rfc2539bis-dhk-06.txt Not So Quick Item –draft-ietf-dnsext-2929bis-00.txt

Slide 3 August 2005, Paris, FranceIETF DNSEXT TSIG Algorithms Current TSIG Proposed Standard [RFC 2845] defines only “HMAC-MD5.SIG- ALG.REG.INT”. –Weaknesses in MD5/SHA-1 do not apply to HMAC so it may be OK but: –Some people want to use government approved algorithms, i.e., at least SHA-1. –Various SHA-224+ algorithms are believed to be stronger than MD5/SHA-1. –Some people want to truncate their MACs. Open Source for all SHA algorithms –draft-eastlake-sha2-00.txt

Slide 4 August 2005, Paris, FranceIETF DNSEXT Changes Specified by Draft “HMAC SHA TSIG Algorithm Identifiers” –draft-ietf-dnsext-tsig-sha-02.txt formerly: draft-eastlake-tsig-sha-*.txt Standardizes added HMAC algorithm FQDN syntax “TLDs” for all SHAs as follows: –SHA1., SHA224., SHA256., SHA384., and SHA512. How to specify and use truncation via TSIG MAC size field. Recommends implementation of SHA1 with 96 bit truncated SHA1, makes implementation of HMAC-SHA-1 and HMAC-SHA-256 MANDATORY in addition to HMAC-MD5.

Slide 5 August 2005, Paris, FranceIETF DNSEXT ->04 TSIG SHA Draft Changes Based on WG Last Call comments on list and implementer feedback: –Specify error code for “signature too weak” to be the same as missing signature. –Specify that truncated signature value in request is used in calculating signature for reply. –State that policies SHOULD accept longer signatures than they require and SHOULD reply with a signature at least as long as that in the corresponding query. –Say a little more about recent hash function breaks. Read for publication?

Slide 6 August 2005, Paris, FranceIETF DNSEXT Other Algorithm Drafts draft-ietf-dnsext-ecc-key-07.txt formerly draft-schroeppel-dnsind-ecc-*.txt –Need feedback on draft, ideally from implementers. draft-ietf-dnsext-rfc2536bis-dsa-04.txt –Updates DSA key/signature RFC draft-ietf-dnsext-rfc2539bis-dhk-04.txt –Updates Diffie-Hellman key RFC

Slide 7 August 2005, Paris, FranceIETF DNSEXT Elliptic Curve Crypto A Public Key system. Keys, signatures, etc., much more compact than RSA. [RFC 3766] A standard format is needed for interoperability. There are numerous patents and claims related to implementations, etc. This draft now defines both a key format and a signature format using Algorithm #4 previously reserved for this purpose.

Slide 8 August 2005, Paris, FranceIETF DNSEXT RFC 2929 RFC 2929 Provided first IANA considerations for RR TYPEs, CLASSes, RCODEs, OpCodes, header bits, etc. RFD 2929 generally provides some Private Use, some Publication Required, and some IETF Consensus, and few reserved or Standards Action required.

Slide 9 August 2005, Paris, FranceIETF DNSEXT RFC 2929 (cont.) Problem: “IETF Consensus” and even “Publication Requires” generally considered too hard to get Type codes, etc., so people overload TXT, etc. Solution?: Permit “Early Allocation” by invoking RFC No: RFC 4020 only applies to Standards Actions (not Experimental, etc.) and is still way too burdensome.

Slide 10 August 2005, Paris, FranceIETF DNSEXT RFC 2929bis Primary Effect: Replace RFC 2929 with a more liberal document draft-ietf-dnsext-2929bis-00.txt Major change: –Replace many “IETF Consensus” occurrence with “DNS Special Allocation Policy” Minor changes: –Also cover AFSDB Subtypes –Provides some Specification Required RCODE allocation –Update references, other very minor changes

Slide 11 August 2005, Paris, FranceIETF DNSEXT RFC 2929bis DNS Special Allocation Policy IANA allocation under ANY of the following: –Standards Action –Approval as Experimental –Temporary / Early Allocation based on RFC 4020 if request meets ALL of the following: Adequately documented in an Internet Draft Complete template Published to Namedroppers for at least two weeks in advance Approval by WG Chair and Area Director (or 2 Area Directors for individual draft)

Slide 12 August 2005, Paris, FranceIETF DNSEXT 2929bis DNS Special Allocation Policy (cont.) DNS Special Allocation Policy applies to parts of the RR TYPE, RR CLASS, and AFSDB Subtype spaces. Provision for some different template questions for each of the above but these are not yet fully specified.

Slide 13 August 2005, Paris, FranceIETF DNSEXT DNS Special Allocation Policy Possible Template Questions for an RR TYPE Special Early Allocation: –Why won’t an existing RR type do? –Does the proposed RR require special handling within DNS different than an Unknown RR Type?

Slide 14 August 2005, Paris, FranceIETF DNSEXT DNS Special Allocation Policy (Cont.) Possible Template Questions for a CLASS Special Early Allocation: –Why can’t this use an existing CLASS such as being a subtree under the IN CLASS? –Does the proposed CLASS require special handling within DNS?

Slide 15 August 2005, Paris, FranceIETF DNSEXT DNS Special Allocation Policy (Cont.) Possible: Template Questions for an AFSDB Subtype Special Early Allocation: –Why is an AFSDB subtype more appropriate than a new RR TYPE? –Why won’t this result in excessively large retrieval results with mixed subtypes for AFSDB queries?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.