[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BGP as Draft vs. RFC 2385

To: Scott Bradner <sob@harvard.edu>
Subject: Re: BGP as Draft vs. RFC 2385
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 18 Mar 2003 12:53:46 -0500
Cc: iesg@ietf.org
In-reply-to: Your message of "Tue, 18 Mar 2003 12:46:40 EST." <200303181746.h2IHkepL005976@newdev.harvard.edu>

In message <200303181746.h2IHkepL005976@newdev.harvard.edu>, Scott Bradner writ
es:
>> Put another way, there's no way we can advance 2385 to DS, since it has 
>> known technical failings.  But where does that leave BGP?
>
>how serious are the failings when this is used the way that it is in BGP?
>(generally "short" connections between peers - )
>

I think you saw Hugo's full note -- I'll quote it for everyone else:


  I am not familiar with the rfc and its envisioned application scope,
  something hat is important to understand when judging empirical threats.
  
  In general, I would say that there is no explicit attack known today that
  will pose an immediate practical threat to the use of "appended-key MD5"
  which is the MAC algorithm defined in this rfc. On the other hand, this
  mode is susceptible to collision attacks on MD5 of the type Dobbertin
  developed. Yet since Dobbertin's attack falls a bit short of providing
  explict collisions for MD5 it does not directly apply here. So while the
  existence of these almost-attacks should be sufficient reason not to adopt
  "appended-key MD5" in a new standard, I do not think that it is
  catastrophic to keep it in a place where it is widely deployed. 
  
  The document already warns about the potential vulnerabilities. I would
  actually add a stronger recommendation in the document itself to
  eventually replace the method with a stronger MAC. The right way for doing
  this is not just replace MD5 with SHA1 as indicated in the rfc but upgrade
  the method to support more than a single mechanism (adding an algorithm
  identifier) and specify HMAC as the default (possibly, HMAC-MD5 if
  performanceis an issue). Note that HMAC-MD5 is not susceptible at all to
  MD5 collisions (even if Dobbertin's attack would be fully succesful in
  finding them). An attack against HMAC needs to find collision specific for
  a secret key, a enormously harder problem.
  
  Bottom line: it would be certainly better to have the standard defined
  with HMAC (even HMAC-MD5) but it is not catastrophic (given current
  knowledge and attacks) to keep the current "appended-key MD5".
  In particular, if the key is derived from weak passwords, a dictionary
  attack may be a much more practical venue of attack than attacking MD5...
  
  As for the question on attacks on keyed hash functions I do not think that
  there is anything significant beyond the attacks described in the hmac
  paper and in Preneel-van Oorschot paper from Crypto95.

In other words, 2385 isn't the weak point for BGP authentication -- 
there's no real attack against it, and given the path characteristics 
it's hard to attack.  But it's not good enough itself for promotion to
DS, in my opinion.  

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Follow-Ups:
- Re: BGP as Draft vs. RFC 2385
  - From: Harald Tveit Alvestrand <harald@alvestrand.no>

References:
- Re: BGP as Draft vs. RFC 2385
  - From: Scott Bradner <sob@harvard.edu>

Prev by Date: RE: WG Chairs Training
Next by Date: Re: Jabber?
Previous by thread: Re: BGP as Draft vs. RFC 2385
Next by thread: Re: BGP as Draft vs. RFC 2385
Index(es):
- Date
- Thread