IETF Logo Mail Archive

Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

Manav Bhatia <manav_bhatia06@yahoo.co.uk> Tue, 02 May 2006 00:38 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Faitu-00005X-RS; Mon, 01 May 2006 20:38:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Faitu-00005S-1J for isis-wg@ietf.org; Mon, 01 May 2006 20:38:02 -0400
Received: from web25411.mail.ukl.yahoo.com ([217.146.176.229]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1Faitt-0005vT-JO for isis-wg@ietf.org; Mon, 01 May 2006 20:38:02 -0400
Received: (qmail 11173 invoked by uid 60001); 2 May 2006 00:38:00 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=kDyKcGqEUT6jOpY5qK+tfev+3gDmSl+VpEf7mvP22garQylg7EtTgXdZMW9lz/P5foxXdcSieG2qADTpfOksWJ4CbEiaXy//mhmF25o5MABrHmsJVZNLLWhVywLttB/nc9SnuGFSMa2lHGmEGAzaL/vkmctIxErm2cgoY+KgnuQ= ;
Message-ID: <20060502003800.11171.qmail@web25411.mail.ukl.yahoo.com>
Date: Tue, 02 May 2006 00:38:00 +0000
From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
To: isis-wg@ietf.org
In-Reply-To: <4449861F.1070608@ipinfusion.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.9 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org

Hi,
 
We have updated the draft to include HMAC-SHA-384 and HMAC-SHA-512 authentication modes. There were some other minor comments as well that we had received. Those have been addressed in this version.
 
http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-hmac-sha-01.txt
 
Would appreciate a feedback from the WG.
 
Cheers,
Manav

----- Original Message ----
From: Vishwas Manral <vishwas@ipinfusion.com>
To: isis-wg@ietf.org
Sent: Saturday, 22 April, 2006 6:55:51 AM
Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication


Hi Hannes,

I mostly agree with Tony here, except for a very corner case where we can amplify 
a DoS because we have multiple keys to choose between at the receiver during Key
Rollover.

The point that you bring is an intersting point about KeyRollover. A simple 
way to do it is to also have the Key-Id (opaque value) sent by the sender. The 
sender when doing a key rollover will use a different Key ID(which is shared with
the receiver). As the receiver will have the key with the same Key-ID it can use 
that key for calculating the Hash. We will not have to compute the hash with 
multiple keys which are valid in such a case.

The Key lifetime by itself is a very implementation thing(with no effect for 
interoperability).

On another note, as we may now have multiple authentication algorithms to support 
for any protocol, should we also have an RFC like 4305 for IPsec? That way we do 
not need to change an RFC which tells about how to use an algorithm(HMAC-SHA1) with
IS-IS, but still change the status of algorithm support (e.g. MUST to MAY etc).

I am currently the author of the bis version for the RFC and the discussion regarding 
the same can be seen in the archives.
http://www1.ietf.org/mail-archive/web/ipsec/current/index.html

Thanks,
Vishwas

===================================================================
Tony Li wrote:

Hannes,

> There is a time window (until all routers have the new
> authentication key) where the routers holding the new key are
> using that key and other routers have not yet got the new key
> and hence nothing to verify against.
> 
>    so what you require is some form of coordination i.e.
>    to have all nodes hold off using the new transmit key
>    up until the network is fully transitioned
>    (i have seen implementations who achieve that with
>    time/date based transmit key-selection) -> this requires
>    some form of coordination (timestamp / key lifetime etc.)


Nothing more sophisticated than uniform configuration is required.  The
first configuration pass installs the new key and enables it for
reception.  The second configuration pass switches to using the new key
for transmission.  Those who want to be pedantic can include a third
pass to remove the old key.

Given the widespread deployment of homegrown tools for consistent,
distributed router configuration, I don't see this as a significant
hurdle.



_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg

_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg

v2.23.0 | Report a Bug | By Email