Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
Manav Bhatia <manav_bhatia06@yahoo.co.uk> Tue, 02 May 2006 00:38 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Faitu-00005X-RS; Mon, 01 May 2006 20:38:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Faitu-00005S-1J for isis-wg@ietf.org; Mon, 01 May 2006 20:38:02 -0400
Received: from web25411.mail.ukl.yahoo.com ([217.146.176.229]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1Faitt-0005vT-JO for isis-wg@ietf.org; Mon, 01 May 2006 20:38:02 -0400
Received: (qmail 11173 invoked by uid 60001); 2 May 2006 00:38:00 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=kDyKcGqEUT6jOpY5qK+tfev+3gDmSl+VpEf7mvP22garQylg7EtTgXdZMW9lz/P5foxXdcSieG2qADTpfOksWJ4CbEiaXy//mhmF25o5MABrHmsJVZNLLWhVywLttB/nc9SnuGFSMa2lHGmEGAzaL/vkmctIxErm2cgoY+KgnuQ= ;
Message-ID: <20060502003800.11171.qmail@web25411.mail.ukl.yahoo.com>
Date: Tue, 02 May 2006 00:38:00 +0000
From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
To: isis-wg@ietf.org
In-Reply-To: <4449861F.1070608@ipinfusion.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.9 (/)
X-Scan-Signature: bdc523f9a54890b8a30dd6fd53d5d024
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org
Hi, We have updated the draft to include HMAC-SHA-384 and HMAC-SHA-512 authentication modes. There were some other minor comments as well that we had received. Those have been addressed in this version. http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-hmac-sha-01.txt Would appreciate a feedback from the WG. Cheers, Manav ----- Original Message ---- From: Vishwas Manral <vishwas@ipinfusion.com> To: isis-wg@ietf.org Sent: Saturday, 22 April, 2006 6:55:51 AM Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication Hi Hannes, I mostly agree with Tony here, except for a very corner case where we can amplify a DoS because we have multiple keys to choose between at the receiver during Key Rollover. The point that you bring is an intersting point about KeyRollover. A simple way to do it is to also have the Key-Id (opaque value) sent by the sender. The sender when doing a key rollover will use a different Key ID(which is shared with the receiver). As the receiver will have the key with the same Key-ID it can use that key for calculating the Hash. We will not have to compute the hash with multiple keys which are valid in such a case. The Key lifetime by itself is a very implementation thing(with no effect for interoperability). On another note, as we may now have multiple authentication algorithms to support for any protocol, should we also have an RFC like 4305 for IPsec? That way we do not need to change an RFC which tells about how to use an algorithm(HMAC-SHA1) with IS-IS, but still change the status of algorithm support (e.g. MUST to MAY etc). I am currently the author of the bis version for the RFC and the discussion regarding the same can be seen in the archives. http://www1.ietf.org/mail-archive/web/ipsec/current/index.html Thanks, Vishwas =================================================================== Tony Li wrote: Hannes, > There is a time window (until all routers have the new > authentication key) where the routers holding the new key are > using that key and other routers have not yet got the new key > and hence nothing to verify against. > > so what you require is some form of coordination i.e. > to have all nodes hold off using the new transmit key > up until the network is fully transitioned > (i have seen implementations who achieve that with > time/date based transmit key-selection) -> this requires > some form of coordination (timestamp / key lifetime etc.) Nothing more sophisticated than uniform configuration is required. The first configuration pass installs the new key and enables it for reception. The second configuration pass switches to using the new key for transmission. Those who want to be pedantic can include a third pass to remove the old key. Given the widespread deployment of homegrown tools for consistent, distributed router configuration, I don't see this as a significant hurdle. _______________________________________________ Isis-wg mailing list Isis-wg@ietf.org https://www1.ietf.org/mailman/listinfo/isis-wg _______________________________________________ Isis-wg mailing list Isis-wg@ietf.org https://www1.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] IS-IS HMAC SHA Cryptographic Authentica… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Sofia Ray
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… mike shand
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Vishwas Manral
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tom Sanders
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Abhishek Verma