RE: [karp] Last Call: <draft-ietf-ospf-auth-trailer-ospfv3-05.txt> (Supporting Authentication Trailer for OSPFv3) to Proposed Standard
"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Wed, 24 August 2011 14:38 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE0B21F8B52; Wed, 24 Aug 2011 07:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.245
X-Spam-Level:
X-Spam-Status: No, score=-6.245 tagged_above=-999 required=5 tests=[AWL=0.354, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AS0ulxgtOLwI; Wed, 24 Aug 2011 07:38:38 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 646C421F8B38; Wed, 24 Aug 2011 07:38:38 -0700 (PDT)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id p7OEdiS3011695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 24 Aug 2011 09:39:47 -0500 (CDT)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p7OEdgfA008082 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 24 Aug 2011 20:09:43 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Wed, 24 Aug 2011 20:09:42 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Sam Hartman <hartmans-ietf@mit.edu>, "ietf@ietf.org" <ietf@ietf.org>
Date: Wed, 24 Aug 2011 20:09:40 +0530
Subject: RE: [karp] Last Call: <draft-ietf-ospf-auth-trailer-ospfv3-05.txt> (Supporting Authentication Trailer for OSPFv3) to Proposed Standard
Thread-Topic: [karp] Last Call: <draft-ietf-ospf-auth-trailer-ospfv3-05.txt> (Supporting Authentication Trailer for OSPFv3) to Proposed Standard
Thread-Index: AcxbcHckAhwFV117ToWRv88q2y5g9gG+iTTg
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CFF9A5F02@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <20110719145739.5942.53564.idtracker@ietfa.amsl.com> <tsl7h6ed1sp.fsf@mit.edu>
In-Reply-To: <tsl7h6ed1sp.fsf@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Mailman-Approved-At: Wed, 24 Aug 2011 08:26:11 -0700
Cc: "ospf@ietf.org" <ospf@ietf.org>, "karp@ietf.org" <karp@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 14:38:39 -0000
Hi, [clipped] > > Based on this review I have a few recommendations for the > OSPF v3 authentication trailers document. > > 1) The v3 authentication trailer takes a step back in the > ability to rekey security associations both from OSPF v2, > from IPsec for OSPF v3 and from [ ..] > > I believe that draft-ietf-ospf-auth-trailer-ospfv3-05 needs > to be revised to require implementation behavior at least as > flexible as draft-ietf-karp-crypto-tables. That is, > associated with each security association is a time for when > sending packets can start with a given SA and for when it > must stop. Infinity and 0 should of course be supported for > the appropriate times. > > 2) I notice terminology inconsistency between key identifier > and security association identifier. This should probably be > cleaned up, although it's not that big of a deal. http://tools.ietf.org/id/draft-ietf-ospf-auth-trailer-ospfv3-06.txt addresses the first two comments. > > > 3) draft-ietf-ospf-analysis says that we are going to solve > related protocol attacks. That is, we recognize that it's > quite likely that some people will use the same preshared key > both for OSPF authentication and for something else. We need > to mix something into the key or hash or something that is > unlikely to appear in any other use in order to make it > cryptographically unlikely for the resulting OSPF > authentication hash to be a hash useful in some other > protocol or for the hash from some other protocol to be > useful in OSPF. This draft does not do that. One possible > way to solve this would be to prepend a constant in front of > the key in the key preparation step or a constant in front of > every packet that gets hashed. The constant should be the > same for OSPFv3 and not used for any other purpose. We had an offline discussion with Sam and others and we seem to have converged at this text: We change the hex that's repeated in the Apad from 0x878FE1F3 to 0x878FE1F4. This value will be unique for OSPFv3. Other protocols that use this mechanism must use a different value of Apad - you could think of this as "salting" the Apad. OLD TEXT in Sec 4.4: Apad is a value which is the same length as the hash output or message digest. The first 16 octets contain the IPv6 source address followed by the hexadecimal value 0x878FE1F3 repeated (L-16)/4 times. This implies that hash output is always a length of at least 16 octets. NEW TEXT: Apad is a value which is the same length as the hash output or message digest. The first 16 octets contain the IPv6 source address followed by the hexadecimal value 0x878FE1F4 repeated (L-16)/4 times. This implies that hash output is always a length of at least 16 octets. Cheers, Manav
- Re: Last Call: <draft-ietf-ospf-auth-trailer-ospf… Sam Hartman
- RE: [karp] Last Call: <draft-ietf-ospf-auth-trail… Bhatia, Manav (Manav)
- Re: [OSPF] [karp] Last Call: <draft-ietf-ospf-aut… Acee Lindem
- Re: [OSPF] [karp] Last Call: <draft-ietf-ospf-aut… Acee Lindem
- RE: [OSPF] [karp] Last Call: <draft-ietf-ospf-aut… Bhatia, Manav (Manav)
- Re: [OSPF] [karp] Last Call: <draft-ietf-ospf-aut… Acee Lindem
- Re: [OSPF] [karp] Last Call: <draft-ietf-ospf-aut… Acee Lindem