Hi Matjaz,
others on this list have more insight in the availability and interoperability
of implementations, and Robert has
already provided some information. If and when the WG decides that it is time
to proceed the RFC to maturity level
Internet Standard we would be happy to cooperate.
Best
Authentication Protocols in USM for SNMPv3
Authors : Johannes Merkle
Manfred Lochter
Filename: draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-05.txt
Pages : 14
Date: 2016-03-18
Abstract:
This document specifies
Association Management Solutions, LLC
>
>
> _______
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>
--
Mit freundlichen Grüßen,
Dr. Johannes Merkle
Principal
Division Innere Sicherheit
secunet S
needless to say that I agree with that ;-)
Johannes
joel jaeggli schrieb am 24.06.2015 um 17:40:
> On 6/22/15 7:30 AM, Blumenthal, Uri - 0553 - MITLL wrote:
>> On 6/18/15, 1:21 , "joel jaeggli" wrote:
>>
>>> Stephen Farrell's comment ( and former dicuss) I think should be food
>>> for thought
Kathleen Moriarty schrieb am 14.05.2015 um 15:58:
>
> I agree with Stephen. My yes was because more secure options are defined,
> but less would be good.
There was some discussion on this (admittedly by quite few participants) and my
summary was as follows
> Question 3: Which (sub)set of prot
raft is a work item of the Operations and Management Area Working
> Group Working Group of the IETF.
>
> Title : HMAC-SHA-2 Authentication Protocols in USM for
> SNMPv3
> Authors : Johannes Merkle
> Manfred Lochter
>
another suggestion:
I'd linke to change the title from
HMAC-SHA-2 Authentication Protocols in USM for SNMP
to
HMAC-SHA-2 Authentication Protocols in USM for SNMPv3
^^
Do you agree?
--
Johannes
Dear all,
I will revise the draft according to the remaining comments.
Johannes
Christer Holmberg schrieb am 14.04.2015 um 13:08:
> Hi Tom,
>
>>> Q1_10-1: In the IANA Considerations section, IANA is requested to register
>>> new values. However, it is not mentioned in which registry the new va
this one addresses *all* of Juergen's comments
Johannes
Weitergeleitete Nachricht
Betreff: New Version Notification for
draft-ietf-opsawg-hmac-sha-2-usm-snmp-05.txt
Datum: Mon, 23 Mar 2015 07:15:24 -0700
Von: internet-dra...@ietf.org
An: Johannes Merkle , Manfred Lo
this revision addresses Juergen's issues.
Johannes
Weitergeleitete Nachricht
Betreff: New Version Notification for
draft-ietf-opsawg-hmac-sha-2-usm-snmp-04.txt
Datum: Mon, 23 Mar 2015 06:47:16 -0700
Von: internet-dra...@ietf.org
An: Johannes Merkle , Manfred Lo
Warren Kumari schrieb am 06.03.2015 um 18:45:
> On Fri, Mar 6, 2015 at 12:17 PM, Juergen Schoenwaelder
> wrote:
>> Dear chairs,
>>
>> I think I raised some points during WG last call that should be
>> addressed and I think others supported this. So I would assume that a
>> revised I-D is needed
I am not sure, how to resolve this comment. Please give advice.
Juergen Schoenwaelder schrieb am 20.02.2015 um 17:49:
> - The comment behind LAST-UPDATED is wrong (this happens once
>there is redundant information)
Shouldn't the dates specified in LAST-UPDATED and REVISION be the publication
Warren Kumari schrieb am 20.02.2015 um 15:47:
> Dear OpsAWG WG,
>
> The authors of draft-ietf-opsawg-hmac-sha-2-usm-snmp-03 have indicated
> that they believe that the document is ready, and have asked for
> Working Group Last Call.
> The draft is available here:
> https://datatracker.ietf.org/doc
> Putting on the mib doctor hat, I ran smilint over the mib module as well
> using faux oids, smilint reports clean.
>
Thanks for checking this. As Juergen pointed out there are some small issues in
the MIB module which I will fix as soon
as the WG LC has ended.
>
> In the Security Considera
>> this draft addresses Warren's comments.
>
> and mine
your's had been addressed by version 02 already.
Johannes
___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
Working
> Group Working Group of the IETF.
>
> Title : HMAC-SHA-2 Authentication Protocols in USM for SNMP
> Authors : Johannes Merkle
> Manfred Lochter
> Filename: draft-ietf-opsawg-hmac-sha-2-usm-snmp-
aft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Operations and Management Area Working
> Group Working Group of the IETF.
>
> Title : HMAC-SHA-2 Authentication Protocols in USM for SNMP
> Authors
Tom,
>>> > > s9.2
>>> > > is it the length of the key that gives it strength or its entropy?
>>> > > Is abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd0004
>>> > > really stronger than !qaurk/99SS~ ?
>> >
>> > Strictly speaking, you are right, but it is common sense that
> cryptograp
Tom,
thanks for the thorough review. This really helps improving the document.
> s4.2.1 step 2 uses RFC6234 in a way that I think must make it a
> Normative reference. RFC6234 is not Standards Track but that is ok, it
> is already in the list of IESG permitted downrefs (does that need
> calling
Fangliang (Leon, ICSL) schrieb am 23.01.2015 um 08:54:
> The current Key Localization Algorithm have obvious vulnerability. We never
> see such cryptographic algorithm defect in other widely used protocol. Hacker
> communities have mentioned the current key localization method as a loophole,
> a
Drafts
> directories.
> This draft is a work item of the Operations and Management Area Working
> Group Working Group of the IETF.
>
> Title : HMAC-SHA-2 Authentication Protocols in USM for SNMP
> Authors : Johannes Merkle
>
> I have one minor suggestion. The names of the protocols are not always
> consistent. For example, section 4 uses usmHMAC128SHA224AuthProtocol,
> section 4.1 uses usm128HMACSHA224AuthProtocol, and the MIB uses
> usmHmac128Sha224Protocol. I suggest using names of the form
> usmHMAC128SHA224AuthPro
Warren Kumari wrote on 26.11.2014 18:54:
> So, dear authors, please resubmit as.. etc.
ok, we will do so.
Are there any further suggestion, e.g., from the authors of
draft-hartman-snmp-sha2, for modifications? Now is the right
time to express them.
--
Johannes
Hedanping (Ana) wrote on 01.12.2014 04:51:
> The security of SNMP is emerged to be enhanced . Besides customers won't
> check RFC before using SNMP devices, thus they are not aware of this
> vulnerability. Vendors have to implement extra modules to constrain user
> behavior, but not all the ven
> We chairs see a preference on the opsawg mailing list to adopt
> draft-hmac-sha-2-usm-snmp as a working group document.
>
> That said, we would like to request that the authors of the two
> drafts try one more time to compromise on a single document.
>
Actually, I hoped that my suggestion on
[I just realized that the authors of draft-hartman-snmp-sha2 were not in cc]
> We chairs see a preference on the opsawg mailing list to adopt
> draft-hmac-sha-2-usm-snmp as a working group document.
>
> That said, we would like to request that the authors of the two
> drafts try one more time
t.petch wrote on 25.09.2014 18:42:
> A month on, what is the WG chairs take on this?
Good question. Even more time has passed by now.
Maybe it helps, if I summarize the results of my poll. Hereby, I assume that
the authors of the two drafts prefer their
respective approach (a presumption, I can
Uri Blumenthal asked me to forward his answers below to the list (he is not
subscribed).
Johannes
Original Message
Betreff: Re: [OPSAWG] Call for Adoption: draft-hmac-sha-2-usm-snmp
Datum: Mon, 22 Sep 2014 17:19:38 +
Von: Blumenthal, Uri - 0558 - MITLL
An: Johannes
Warren Kumari wrote on 02.09.2014 17:27:
> These sound like reasonable questions to me -- lets give this a few
> days to see where things settle (hint: if you have views on this
> topic, please reply so your views are heard).
Actually, I'll have to give it two weeks as I will be on holiday.
--
As Warren asked us to check the option of combining both drafts, I'm not sure
if a general vote for one draft is the
best way forward.
I would appreciate if all interested parties (incl Tom and David) could
indicate their preference in the following 3
questions:
1. Should the protocols be descr
Hedanping (Ana) wrote on 28.08.2014 06:40:
>
>> Johannes wrote on 27.08.2014 19:46:
>>
>> The purpose of our delta-description was to make clear that the basic
>> protocol
>> design of RFC 3414 does not change (only the hash function and the lengths of
>> some data) and to facilitate implementati
Sam Hartman wrote on 26.08.2014 22:26:
> I've reviewed both draft-hartman-snmp-sha2 and
> draft-hmac-sha-2-usm-snmp.
>
> In general, I believe that draft-hartman-snmp-sha2 provides a better
> starting point for a SHA2 authentication algorithm for USM.
In general, I would have no objections with t
>>
>>
>>
>> Thanks,
>> Warren Kumari
>> (as OpsAWG WG co-chair)
>>
>> ___
>> OPSAWG mailing list
>> OPSAWG@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsawg
>
> ___
Another try to gather some feedback. Some people have already expressed their
support for adopting the draft and have
provided feedback to previous version, so I put them on cc. Please indicate, if
you see any issues.
Johannes
Johannes Merkle wrote on 26.05.2014 11:21:
> so far, there
so far, there has been no feedback on the new version, but the discussion on
the previous one indicated considerable
interest. Does the silence indicate "no objections" or are there still issues?
Should the draft be adopted by the WG?
Johannes
Johannes Merkle wrote on 06.05.2014 1
8:29 -0700
Von:
An: Johannes Merkle , Manfred Lochter
, Manfred Lochter
, Johannes Merkle
A new version of I-D, draft-hmac-sha-2-usm-snmp-01.txt
has been successfully submitted by Johannes Merkle and posted to the
IETF repository.
Name: draft-hmac-sha-2-usm-snmp
Revision:
Wes,
> I'm not entirely convinced that a 256bit truncation is better than a 384
> bit truncation, so my preference would be to include just two (not 6)
> algorithms because I don't think they're all needed and will just make
> things more confusing. So I'd pick the best two of the 6 and go with
>
Blumenthal, Uri - 0558 - MITLL wrote on 28.03.2014 15:39:
> Truncation is probably specified in some of the RFCs produced *based on*
> the Suite B spec. I thin they're in line with IPsec, i.e., HMAC-SHA1-96.
>
It is specified in NIST SP 800-107rev1, Section 5.3.3
--
Johannes
t.petch wrote on 27.03.2014 19:02:
> Some more red tape.
>
> The copyright in the MIB module is 2004.
oops! Got me, I copied and modified that from RFC 3826.
>
> You used the word 'SHALL' in s.3 which says to me that you need a
> reference to RFC2119 and the boilerplate associated with it.
Ri
Blumenthal, Uri - 0558 - MITLL wrote on 27.03.2014 17:46:
> On 3/27/14 10:23 , "t.petch" wrote:
>> a good model to follow, which Uri's suggestion does.
>
> :-) Yep!
Ok, I will change names accordingly.
>> So my thinking would be either a MUST implement for one, or recommend
>> that all sho
David Reid wrote on 25.03.2014 19:06:
>
> I would prefer shrinking the number of choices and using the truncated
> ones, although I don't feel strongly about that preference.
Please have a second look: all of them are truncated, they only differ in the
extend of truncation. Which truncation
len
Blumenthal, Uri - 0558 - MITLL schrieb am 25.03.2014 16:52:
> On 3/25/14 11:33 , "t.petch" wrote:
>
>> I am confused by your choice of names. The text uses, e.g.,
>> usmHMACSHA224128AuthProtocol
>>
>> whereas the MIB module has
>>
>> usmHmacSha224128Protocol
>>
>> Do these refer to the same ide
Dear all,
a while ago, I had announced a draft on a new USM authentication protocol
HMAC-SHA-256-128 for use in SNMP. Following
Uri's suggestion (and with his valuable support) I have considerably extended
the draft:
- Further SHA-2 based HMAC authentication protocols have been included to
pro
>>
>> The new protocol is a straightforward adaptation of the protocols
>> HMAC-MD5-96 and HMAC-SHA-96 from RFC 3414 to the SHA-256 based HMAC
>> with truncation to 128 bits. Comments and suggestions are welcome.
>
> Would it be valuable to also add SHA-512?
>
> We actually implemented all 4 bi
stupid me, I forgot to include the link to the draft:
http://www.ietf.org/internet-drafts/draft-hmac-sha-256-128-usm-snmp-00.txt
http://tools.ietf.org/html/draft-hmac-sha-256-128-usm-snmp-00
Johannes
Johannes Merkle schrieb am 05.11.2013 16:58:
> we have published a draft on a
we have published a draft on a new authentication protocol for USM for SNMP.
Abstract
This memo specifies a new optional HMAC-SHA-256-128 authentication
protocol for the User-based Security Model (USM) for SNMPv3 defined
in RFC 3414.
The new protocol is a straightforward adaptation of t
46 matches
Mail list logo