[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00

INTERNET-DRAFT                                        Steven M. Bellovin
draft-ietf-snmpv3-as-00.txt                           Randy Bush
2001.12.26                                            AT&T Research


      Applicability Statement for SNMPv3 Cryptographic Algorithms


    Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

0. Abstract

   This document attempts to put in perspective the use of cryptographic
   algorithms in the Simple Network Monitoring Protocol Version 3
   standard.  In particular, it notes that today's standard is
   infinitely more secure than previous versions, as the previous
   versions had zero security.  It further notes that, as cryptographic
   algorthim developments change over time, we expect that the
   recommended algorithms will change when the security community has
   reached new consensus.

1. The Current Standard is Infinitely Better

   SNMPv1 [RFC1157] and SNMPv2c [RFC1901] SNMP transmitted community
   strings, analogous to passwords, as cleartext over the internet.
   This is clearly against common sense as well as the prescription in
   [RFC2316].





Bellovin & Bush            Expires 2002.08.22                   [Page 1]


INTERNET-DRAFT   AS for SNMPv3 Cryptographic Algorithms       2002.02.22


   But, we also note that single-DES, as used in the SNMPv3 privacy
   protocols, is a very old cryptographic algorithm, and cryptographic
   algorithms do not improve with age [DESCRACK].  Moore's Law means
   algorithims become more vulnerable to computational attacks over
   time.  And mathematical analysis of any algorithm over time tends to
   reveal weaknesses previously missed.

2. The Standard Allows for Change

   Having the foresight to anticipate advances in cryptography, the
   SNMPv3 standard allows for future additions of new cryptographic
   algorithms, and even changes in which algorithms are mandatory to
   implement.

3. Change should be Anticipated

   While CBC single mode DES is used in the current standard, it is
   rather old and it is anticipated that the community should expect to
   see an evolution to AES or some more modern algorithm in the future.

   HMAC MD5 and HMAC SHA-1, as used in the SNMPv3 authentication
   protocols, are considered to be the state of the art at the current
   time,

4. Security Considerations

   This document is about security, specifically that of the
   cryptographic algorithms used by SNMPv3.  It notes the status and
   anticipated development of these algorithms, but is not believed to
   change the security of the SNMPv3 protocol.

5. Acknowledgments

   Bert Wijnen, Marcus Leech, and Jeff Schiller were instrumental in the
   development of this document.

6. References

[RFC1157]
     Simple Network Management Protocol (SNMP). J.D. Case, M. Fedor,
     M.L. Schoffstall, C. Davin. May-01-1990.

[RFC1901]
     Introduction to Community-based SNMPv2. J. Case, K. McCloghrie, M.
     Rose, S. Waldbusser.

[RFC2316]
     Report of the IAB Security Architecture Workshop. S. Bellovin.



Bellovin & Bush            Expires 2002.08.22                   [Page 2]


INTERNET-DRAFT   AS for SNMPv3 Cryptographic Algorithms       2002.02.22


     April 1998.

[DESCRACK]
     "Cracking DES: Secrets of Encryption Research, Wiretap Politics,
     and Chip Design". J. Gilmore. O'Reilly and Associates.  1998.

7. Authors' Addresses

   Steven M Bellovin
   AT&T Shannon Laboratory, Room E-215
   180 Park Ave. Bldg. 103
   Florham Park, NJ   US-07932-0000
   +1 973 360 8656
   +1 973 360 8077 fax
   smb@research.att.com

   Randy Bush
   5147 Crystal Springs
   Bainbridge Island, WA US-98110
   +1 206 780 0431
   randy@psg.com

8. Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published and
   distributed, in whole or in part, without restriction of any kind,
   provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of developing
   Internet standards in which case the procedures for copyrights defined
   in the Internet Standards process must be followed, or as required to
   translate it into languages other than English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
   NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
   WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



Bellovin & Bush            Expires 2002.08.22                   [Page 3]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/