Re: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00
Acee Lindem <acee.lindem@ericsson.com> Tue, 15 November 2011 18:52 UTC
Return-Path: <acee.lindem@ericsson.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01DF611E80CC for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2011 10:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.528
X-Spam-Level:
X-Spam-Status: No, score=-6.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlN-Aql4v6XN for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2011 10:52:35 -0800 (PST)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 6E15511E80C8 for <homenet@ietf.org>; Tue, 15 Nov 2011 10:52:29 -0800 (PST)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id pAFIqJFc014428; Tue, 15 Nov 2011 12:52:26 -0600
Received: from EUSAACMS0702.eamcs.ericsson.se ([169.254.1.218]) by eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) with mapi; Tue, 15 Nov 2011 13:52:16 -0500
From: Acee Lindem <acee.lindem@ericsson.com>
To: Michael Richardson <mcr@sandelman.ca>
Date: Tue, 15 Nov 2011 13:52:14 -0500
Thread-Topic: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00
Thread-Index: Acyjx7FK8aZCnMoHTLmYOf01Efwo6A==
Message-ID: <3112C980-7FD1-4BE3-8494-3E89E8D40376@ericsson.com>
References: <CAKD1Yr3uSsNP4avZBdQE7YxFd7D_KOXBOCsfaRfvnWhJoLoY9Q@mail.gmail.com> <28079.1321370795@marajade.sandelman.ca>
In-Reply-To: <28079.1321370795@marajade.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<homenet@ietf.org>" <homenet@ietf.org>
Subject: Re: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 18:52:42 -0000
Hi Michael, On Nov 15, 2011, at 10:26 AM, Michael Richardson wrote: > > > >>>>>> "Lorenzo" == Lorenzo Colitti <lorenzo@google.com> writes: > Lorenzo> 4. For security, I think we should pick an auth scheme and > Lorenzo> stick to it, otherwise > Lorenzo> it will just lead to fragmentation. Some pre-shared key > Lorenzo> scheme might be adequate; I don't know much about security > Lorenzo> so I don't really care what it is, but I do think we need > Lorenzo> to have one and it needs to be the same for > Lorenzo> everyone. I think we should say MUST here. > > So, let me go over the options in order to violently agree. > > 1) OSPF is multicast, so we can't use any bilteral key-agreement > protocol on it's own. Statically keyed AH can be used for multicast > traffic, and a router can trivially ignore an AH validation failure in > order to provide some diagnostics by evaluating the contents of > the OSPF frame. (This requires hacks on platforms that already have > IPsec, but if you implement the AH inside the OSPF daemon....) > > (so diagnostics can say, "I saw router FOO on interface BLAH, but > the key didn't match, so I ignored it", or even, "I saw router FOO > on interface BLAH, and since the key didn't match, I treated it as a > guest network". What router FOO thinks of the packets it receives is an > open question) > > 2) While we could invoke some kind of group-KMP, these essentially work > out to a series of bilateral trust relationships which results in the > master machine giving out the pre-shared secret in a secure fashion. > The bilateral trust mechanism needs to be anchored by something, > and you can invoke public key mechanisms, or... shared secret. > > Public key mechanisms with a leap-of-faith and then confirmation via UI, > would be very cool, but completely exceeds our needs. > > 3) my understanding is that OSPFv3 eliminated the plain-text HELLO and > md5 methods. > > The major thing we need to specify for zOSPF is that we need to pick a > well-known SPI value for the AH header. That SPI value will need to > specify an algorithm (HMAC-SHA1, HMAC-SHA2, HMAC-SHA3...) and perhaps a > key length. We should publish a few choices for future interop, but we > will need to pick one MUST for today. We can't really be resistant > against a bid-down attack, but even HMAC-SHA1 is pretty resistant today > (vs bare SHA1), and I think that we can count upon being able to specify > HMAC-SHA3 for this work. We will soon have non-IPsec authentication for OSPFv3: http://www.ietf.org/id/draft-ietf-ospf-auth-trailer-ospfv3-10.txt The point that I don't understand from this E-mail thread is where the Security Association (SA) comes from to use for auto-configured OSPFv3 routers? I guess it is from a USB flash drive ;^)). Also, are you and Lorenzo suggesting we make authentication MANDATORY in for auto-configured OSPFv3 routers? Thanks, Acee > > -- > ] He who is tired of Weird Al is tired of life! | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ > Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> > then sign the petition. >
- [homenet] Comments on draft-acee-ospf-ospfv3-auto… Lorenzo Colitti
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Lorenzo Colitti
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Carlos Pignataro
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Michael Richardson
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Michael Richardson
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Michael Richardson
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Carlos Pignataro (cpignata)
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Carlos Pignataro
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… DIEGO LOPEZ GARCIA
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Russ White
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Michael Richardson
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Lorenzo Colitti
- Re: [homenet] Comments on draft-acee-ospf-ospfv3-… Acee Lindem