Hi Ben, all, Glad to see that you found the text where explain why MD5 is supported in the model. Added this NEW text to the security considerations section: As discussed in Section 7.6.3, the module supports MD5 to basically accommodate the installed BGP base. MD5 suffers from the security weaknesses discussed in Section 2 of [RFC6151] or Section 2.1 of [RFC6952]. Cheers, Med > -----Message d'origine----- > De : last-call [mailto:last-call-bounces@xxxxxxxx] De la part de > Benjamin Kaduk > Envoyé : mardi 3 août 2021 06:21 > À : tom petch <daedulus@xxxxxxxxxxxxx> > Cc : last-call@xxxxxxxx; draft-ietf-opsawg-l3sm-l3nm.all@xxxxxxxx; > Rifaat Shekh-Yusef <rifaat.s.ietf@xxxxxxxxx>; secdir@xxxxxxxx > Objet : Re: [Last-Call] Secdir last call review of draft-ietf- > opsawg-l3sm-l3nm-10 > > Hi Tom, > > On Thu, Jul 29, 2021 at 05:10:00PM +0100, tom petch wrote: > > Reading this I-D, I wondered what the secdir view is of > recommending > > the use of MD5 to secure the session as this I-D does for BGP. > (Such > > a use in NTP did generate a comment). > > This part: > > 'authentication': The module adheres to the recommendations > in > Section 13.2 of [RFC4364] as it allows enabling TCP-AO > [RFC5925] and accommodates the installed base that makes > use of > MD5. In addition, the module includes a provision for the > use > > seems to be about as good as we can do given the current state of > deployment and implementation. > > I will probably suggest adding some additional discussion of the > weakness of MD5 to the security considerations in my ballot > comments, if no such text appears before then. > > Thanks, > > Ben > > -- > last-call mailing list > last-call@xxxxxxxx > https://www.ietf.org/mailman/listinfo/last-call _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
