[ Top-post]
First off, an apology for the delays. Scott and I have been traveling
and have had a hard time meeting up for our standard chair's calls...
So, bringing everyone up to date...
Clearly it would be a good idea to bring SNMP security up to date by
adding support for SHA-2. There are two Internet Drafts that propose
to do that:
draft-hmac-sha-2-usm-snmp
draft-hartman-snmp-sha2
Both of these drafts have had discussion on this list and were the
subjects of an informal poll - see
http://www.ietf.org/mail-archive/web/opsawg/current/msg03596.html
Just as clearly, this is not the type of situation where the IETF
could adopt two different approaches and let the market decide.
We chairs see a preference on the opsawg mailing list to adopt
draft-hmac-sha-2-usm-snmp as a working group document.
That said, we would like to request that the authors of the two
drafts try one more time to compromise on a single document.
We also invite a representative of the authors of each document to
discuss the issues during the opsawg session during IETF 91 (Nov 12 -
9:00 AM).
We will try to judge the consensus of those present at the session,
and then on the mailing list, to determine a path forward.
Scott & Warren
On Fri, Oct 24, 2014 at 7:19 AM, Johannes Merkle
<[email protected]> wrote:
> t.petch wrote on 25.09.2014 18:42:
>> A month on, what is the WG chairs take on this?
>
> Good question. Even more time has passed by now.
>
> Maybe it helps, if I summarize the results of my poll. Hereby, I assume that
> the authors of the two drafts prefer their
> respective approach (a presumption, I can confirm for
> draft-hmac-sha-2-usm-snmp).
>
> Question 1: Should the protocols be described
> a) as "diff" to the previous protocols like done in
> draft-hmac-sha-2-usm-snmp, or
> b) completely and based on a description of a generic hmac-based
> authentication protocol, as done in draft-hartman?
>
> Result:
> a) is preferred by the authors of draft-hmac-sha-2-usm-snmp, and by David
> Reid, Tom Petch, Uri Blumenthal
> b) is preferred by the authors of draft-hartman-snmp-sha2.
>
> Question 2: Should the protocols be based on complete or truncated HMACs?
> - complete is preferred by the authors of draft-hartman-snmp-sha2.
> - truncated is preferred by the authors of draft-hmac-sha-2-usm-snmp, and by
> David Reid, Tom Petch, Uri Blumenthal
>
> Question 3: Which (sub)set of protocols (hash function, MAC length) should be
> selected?
> - Johannes: SHA-256-192 as MUST, SHA-512-256 as SHOULD, all other can be MAY
> or omitted.
> - Uri: SHA-256-192 and SHA-384-320 as MUST, SHA-512-256 as SHOULD, and
> SHA-224-??? as MAY
> - Tom: AFAIU, he agrees with the preferences expressed by David, Johannes and
> Uri.
> - David: SHA-256-192 and SHA-512-384.
> (In all the above cases, the preferences were not that strong, there was
> mainly the wish to reduce the number of
> protocols in the current draft.)
> - Again, I assume, that the authors of draft-hartman-snmp-sha2 prefer their
> proposals.
>
> The preferences are clearly split between two groups, the authors of
> draft-hartman-snmp-sha2 on one side, the authors of
> draft-hmac-sha-2-usm-snmp, David Reid, Tom Petch, and Uri Blumenthal on the
> other. I don't see any potential compromise
> here.
>
> My proposal, which is clearly biased due to my role as author, is to continue
> with draft-hmac-sha-2-usm-snmp and to
> shorten the list of protocols, e.g. to
> usmHMAC192SHA256AuthProtocol as MUST
> usmHMAC384SHA512AuthProtocol as SHOULD
> usmHMAC256SHA384AuthProtocol and usmHMAC128SHA224AuthProtocol as MAY
>
> In these proposals the truncation is reduced to 25% which is in line with the
> preferences expressed by Uri and David,
> and may even reduce the concerns of the authors of draft-hartman-snmp-sha2
> about truncation.
>
>
> So, chairs, what is your decision?
>
> Johannes
>
>
>>
>> Tom Petch
>>
>> ----- Original Message -----
>> From: "Warren Kumari" <[email protected]>
>> To: "[email protected]" <[email protected]>;
>> <[email protected]>
>> Sent: Wednesday, August 27, 2014 8:11 PM
>>>
>>> Scott and I just chatted about this.
>>> We see that there is interest in this topic, we think it is an
>>> important topic, and we would like to adopt /a/ document that
>>> addresses this.
>>>
>>> We'd appreciate it if the authors of draft-hmac-sha-2-usm-snmp and
>>> draft-hartman-snmp-sha2 can discuss how to move forward, possibly by
>>> combining the documents into one, or selecting one and folding in
>>> comments from the other.
>>>
>>> Again, we think that this is an important topic, and would like to get
>>> the best possible document adopted.
>>>
>>> Warren and Scott.
>>>
>>>
>>>
>>> On Mon, Aug 11, 2014 at 5:28 PM, Warren Kumari <[email protected]>
>> wrote:
>>>> Dear OpsAWG WG,
>>>>
>>>> This starts a Call for Adoption for draft-hmac-sha-2-usm-snmp.
>>>>
>>>> The draft is available here:
>>>> https://datatracker.ietf.org/doc/draft-hmac-sha-2-usm-snmp/
>>>>
>>>> Please review this draft to see if you think it is suitable for
>>>> adoption by OpsAWG,
>>>> and comments to the list, clearly stating your view.
>>>>
>>>> Please also indicate if you are willing to contribute text, review,
>> etc.
>>>>
>>>> This call for adoption ends Mon 25-Aug-2014.
>>>>
>>>> In addition, to satisfy RFC 6702 ("Promoting Compliance with
>>>> Intellectual Property Rights (IPR)"):
>>>> If you are personally aware of any IPR that applies to
>>>> draft-hmac-sha-2-usm-snmp, has this IPR been disclosed in compliance
>>>> with IETF IPR rules? (See RFCs 3979, 4879, 3669, and 5378 for more
>>>> details.)
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> Warren Kumari
>>>> (as OpsAWG WG co-chair)
>>>
>>>
>>>
>>
>> _______________________________________________
>> OPSAWG mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/opsawg
>>
>>
>
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
