Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS-IS WG IS-IS Cryptographic Authentication Requirements

Published byJesse Rose Modified over 6 years ago

Similar presentations

Presentation on theme: "IS-IS WG IS-IS Cryptographic Authentication Requirements"— Presentation transcript:

1 IS-IS WG IS-IS Cryptographic Authentication Requirements
draft-bhatia-manral-crypto-req-isis-01 Manav Bhatia, Alcatel-Lucent Vishwas Manral, IPInfusion IETF 68, Prague

2 IS-IS – Current Authentication Schemes
Clear Text and MD5 Recent Reports of attacks on collision resistance properties of MD5 and SHA-1 Cryptographic stronger algorithms have been suggested in the WG (HMAC-SHA-1, etc)

3 New Algorithms Keep Coming ..
In Cryptography new algorithms surface continuously and existing ones are continuously attacked .. Thus the choice of mandatory-to-implement algorithms should be conservative to minimize the likelihood of IS-IS being compromised. Would not want to change the IS-IS spec each time a cryptographically stronger algorithm is suggested. Eg., DES in the older IPsec RFC was a MUST but now has become a SHOULD NOT. Same goes with MD5 in the IPsec space.

4 Interoperability Issues
Need a standard that tells which algorithms to support and which not for minimum interoperability. With time the number of algorithms to support will increase and we need a minimum set of algorithms as well as their current state of support documented The document would specify the MUST/ MAY/ SHOULD/ SHOULD NOT for algorithms that are to be supported This would be a running document that can be changed as and when newer algorithms come and the older ones get deprecated For IPsec the algorithms supported in RFC2401 and the ones in RFC4305 have changed. In fact some MUST have become SHOULD NOT etc.

5 Additional RFC 2119 terms SHOULD+ Same as SHOULD. However, it is likely that an algorithm marked as SHOULD+ will be promoted at some future time to be a MUST. MUST- Same as MUST for now. However, its expected that at some point in future this algorithm will no longer be a MUST MAY+ - Same as MAY for now. However, its expected that this algorithm may get promoted at some future time to be a SHOULD.

6 Auth Scheme Selection when Security is required!
Old Old New Req Doc Requirement Authentication Scheme MUST ISO 10589/ SHOULD NOT Clear Text Password (1) RFC 1195 MUST RFC MUST HMAC-MD5 SHOULD Cryptographic Auth (2) Used mostly to avoid accidental introduction of router in a domain. Not useful if security is required Bhatia, M., Manral, V. and White, R. " IS-IS HMAC Cryptographic Authentication”, Work in Progress, draft-ietf-isis-hmac-sha-01.txt

7 Authentication Algo Selection
Old Old New Req RFC Requirement Authentication Algorithm MUST MUST HMAC-MD5 SHOULD HMAC-SHA-1 (1) MAY HMAC-SHA-256/ HMAC-SHA-384/ HMAC-SHA-512 (1) Bhatia, M., Manral, V. and White, R. " IS-IS HMAC Cryptographic Authentication”, Work in Progress

8 Feedback?

Download ppt "IS-IS WG IS-IS Cryptographic Authentication Requirements"

Similar presentations

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.

12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.
Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:

Internet Research Task Force Crypto Forum Research Group IETF 89 March 3, 2014 London List: Chairs:
TLS 1.2 and NIST SP 800-56A Tim Polk November 10, 2006.

TLS 1.2 and NIST SP A Tim Polk November 10, 2006.
ISIS Auto-Configuration (draft-liu-isis-auto-conf-01) Bing Liu Bruno Decraene

ISIS Auto-Configuration (draft-liu-isis-auto-conf-01) Bing Liu Bruno Decraene
Message Authentication Code July 2011. Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena.

Optimizing BFD Authentication draft-mahesh-bfd-authentication-00 Mahesh Jethanandani, Ashesh Mishra Manav Bhatia, Ankur Saxena.
7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.
A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall 2009 18739A: Foundations of Security and Privacy.

A Quick Tour of Cryptographic Primitives Anupam Datta CMU Fall A: Foundations of Security and Privacy.
1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.

1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.
OSPF WG Stronger, Automatic Integrity Checks for OSPF Packets Paul Jakma, University of Glasgow Manav Bhatia, Alcatel-Lucent IETF 79, Beijing.

OSPF WG Stronger, Automatic Integrity Checks for OSPF Packets Paul Jakma, University of Glasgow Manav Bhatia, Alcatel-Lucent IETF 79, Beijing.
RADEXT WG IETF 91 Rechartering. Why? Current charter doesn’t allow us to take on new work that is waiting in the queue Has an anachronistic Diameter entanglement.

RADEXT WG IETF 91 Rechartering. Why? Current charter doesn’t allow us to take on new work that is waiting in the queue Has an anachronistic Diameter entanglement.

Similar presentations

Ads by Google