IETF Logo Mail Archive

Re: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00

Acee Lindem <acee.lindem@ericsson.com> Tue, 15 November 2011 18:52 UTC

Return-Path: <acee.lindem@ericsson.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01DF611E80CC for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2011 10:52:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.528
X-Spam-Level:
X-Spam-Status: No, score=-6.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlN-Aql4v6XN for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2011 10:52:35 -0800 (PST)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 6E15511E80C8 for <homenet@ietf.org>; Tue, 15 Nov 2011 10:52:29 -0800 (PST)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id pAFIqJFc014428; Tue, 15 Nov 2011 12:52:26 -0600
Received: from EUSAACMS0702.eamcs.ericsson.se ([169.254.1.218]) by eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) with mapi; Tue, 15 Nov 2011 13:52:16 -0500
From: Acee Lindem <acee.lindem@ericsson.com>
To: Michael Richardson <mcr@sandelman.ca>
Date: Tue, 15 Nov 2011 13:52:14 -0500
Thread-Topic: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00
Thread-Index: Acyjx7FK8aZCnMoHTLmYOf01Efwo6A==
Message-ID: <3112C980-7FD1-4BE3-8494-3E89E8D40376@ericsson.com>
References: <CAKD1Yr3uSsNP4avZBdQE7YxFd7D_KOXBOCsfaRfvnWhJoLoY9Q@mail.gmail.com> <28079.1321370795@marajade.sandelman.ca>
In-Reply-To: <28079.1321370795@marajade.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<homenet@ietf.org>" <homenet@ietf.org>
Subject: Re: [homenet] Comments on draft-acee-ospf-ospfv3-autoconfig-00
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 18:52:42 -0000

Hi Michael,

On Nov 15, 2011, at 10:26 AM, Michael Richardson wrote:

> 
> 
> 
>>>>>> "Lorenzo" == Lorenzo Colitti <lorenzo@google.com> writes:
>    Lorenzo> 4. For security, I think we should pick an auth scheme and
>    Lorenzo> stick to it, otherwise
>    Lorenzo> it will just lead to fragmentation. Some pre-shared key
>    Lorenzo> scheme might be adequate; I don't know much about security
>    Lorenzo> so I don't really care what it is, but I do think we need
>    Lorenzo> to have one and it needs to be the same for 
>    Lorenzo> everyone. I think we should say MUST here.
> 
> So, let me go over the options in order to violently agree.
> 
> 1) OSPF is multicast, so we can't use any bilteral key-agreement
>   protocol on it's own.  Statically keyed AH can be used for multicast
>   traffic, and a router can trivially ignore an AH validation failure in
>   order to provide some diagnostics by evaluating the contents of
>   the OSPF frame. (This requires hacks on platforms that already have
>   IPsec, but if you implement the AH inside the OSPF daemon....)
> 
>   (so diagnostics can say, "I saw router FOO on interface BLAH, but
>   the key didn't match, so I ignored it", or even, "I saw router FOO
>   on interface BLAH, and since the key didn't match, I treated it as a
>   guest network".  What router FOO thinks of the packets it receives is an
>   open question)
> 
> 2) While we could invoke some kind of group-KMP, these essentially work
>   out to a series of bilateral trust relationships which results in the
>   master machine giving out the pre-shared secret in a secure fashion.
>   The bilateral trust mechanism needs to be anchored by something, 
>   and you can invoke public key mechanisms, or... shared secret.
> 
>   Public key mechanisms with a leap-of-faith and then confirmation via UI,
>   would be very cool, but completely exceeds our needs.  
> 
> 3) my understanding is that OSPFv3 eliminated the plain-text HELLO and
>   md5 methods. 
> 
> The major thing we need to specify for zOSPF is that we need to pick a
> well-known SPI value for the AH header.  That SPI value will need to
> specify an algorithm (HMAC-SHA1, HMAC-SHA2, HMAC-SHA3...) and perhaps a
> key length.  We should publish a few choices for future interop, but we
> will need to pick one MUST for today.  We can't really be resistant
> against a bid-down attack, but even HMAC-SHA1 is pretty resistant today
> (vs bare SHA1), and I think that we can count upon being able to specify
> HMAC-SHA3 for this work.

We will soon have non-IPsec authentication for OSPFv3:

   http://www.ietf.org/id/draft-ietf-ospf-auth-trailer-ospfv3-10.txt 


The point that I don't understand from this E-mail thread is where the Security Association (SA) comes from to use for auto-configured OSPFv3 routers? 
I guess it is from a USB flash drive ;^)). Also, are you and Lorenzo suggesting we make authentication MANDATORY in for auto-configured OSPFv3 routers? 

Thanks,
Acee 



> 
> -- 
> ]       He who is tired of Weird Al is tired of life!           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
>   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
> 	               then sign the petition. 
>

v2.23.0 | Report a Bug | By Email