IETF Logo Mail Archive

RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

mike shand <mshand@cisco.com> Thu, 20 April 2006 06:49 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWSz3-0006S0-Tv; Thu, 20 Apr 2006 02:49:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWSz2-0006Rv-5G for isis-wg@ietf.org; Thu, 20 Apr 2006 02:49:44 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FWSyy-0003gh-AL for isis-wg@ietf.org; Thu, 20 Apr 2006 02:49:43 -0400
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 20 Apr 2006 08:49:40 +0200
Received: from cisco.com (mrwint.cisco.com [64.103.71.48]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k3K6ncUE014304; Thu, 20 Apr 2006 08:49:38 +0200 (MEST)
Received: from mshand-wxp.cisco.com (ams3-vpn-dhcp4195.cisco.com [10.61.80.98]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id HAA14102; Thu, 20 Apr 2006 07:49:37 +0100 (BST)
Message-Id: <7.0.1.0.0.20060420074715.03c42cc8@cisco.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Thu, 20 Apr 2006 07:49:35 +0100
To: tony.li@tony.li
From: mike shand <mshand@cisco.com>
Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
In-Reply-To: <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
References: <4446972F.6040408@juniper.net> <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ba8aaf827dcb437101951262f69b3de
Cc: 'Hannes Gredler' <hannes@juniper.net>, tony.li@tony.li, isis-wg@ietf.org
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org

At 21:15 19/04/2006, Tony Li wrote:
>
>Hannes,
>
>I'm of the opinion that key rollover and algorithm rollover do not
>require actual additional protocol specification and that transmitting
>multiple TLVs is not necessary.  For any form of rollover to work, a
>receiver must be prepared to accept multiple different combinations of
>password and algorithm.  It does not seem like a substantial effort for
>the receiver to try all of the possibilities that it is configured for.

Absolutely. That was the way it was designed to work in the original 
form with non-cryptographic passwords (multiple receive passwords 
could be specified to allow migration), and I don't see why the same 
principle shouldn't apply to algorithm migration.

         Mike



>Given this, one way to do smooth rollover is to go around and configure
>all nodes with the new password and/or algorithm.  Once that's completed
>and in production, then nodes can be set to transmit the new password
>and/or algorithm.
>
>While 802.11's WEP is hardly a good example of this for security
>purposes, most implementations provide a fine example of how the UI for
>this would work: one key is used for transmit, while a list of keys is
>accepted.
>
>Regards,
>Tony
>
>P.s. Yes, I'm well aware that implementations do not currently support
>this behavior and will have to change.  Including Juniper's.  Sorry.
>;-)
>
>
> > -----Original Message-----
> > From: Hannes Gredler [mailto:hannes@juniper.net]
> > Sent: Wednesday, April 19, 2006 1:02 PM
> > To: tony.li@tony.li
> > Cc: 'Sofia Ray'; isis-wg@ietf.org
> > Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >
> > furthermore, it would be also time to think about authentication-type
> > migration support. i.e. discuss about authentication-type
> > [simple->md5->sha]
> > and key rollover schemes and nail down the necessary behaviour
> > (multiple instances of TLV #10).
> >
> > the prevailing method for both authentication-type and key rollover
> > (= disabling authentication check during the transition window)
> > is not really smooth.
> >
> > /hannes
> >
> > Tony Li wrote:
> > > Sofia,
> > >
> > > While I know of no substantive risks to the use of MD5
> > today as used in
> > > 3567, history suggests that someday, there will be.  Thus,
> > having other
> > > algorithms available is only prudent and I strongly support
> > that goal.
> > >
> > > Regards,
> > > Tony
> > >
> > >
> > >>-----Original Message-----
> > >>From: Sofia Ray [mailto:sofia.ray@lycos.com]
> > >>Sent: Wednesday, April 19, 2006 11:04 AM
> > >>To: isis-wg@ietf.org
> > >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> > >>
> > >>Manav,
> > >>
> > >>Whats wrong with the authentication scheme detailed in 3567?
> > >>
> > >>Yours,
> > >>Sofia
> > >>
> > >>----- Original Message ----
> > >>From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
> > >>To: isis-wg@ietf.org
> > >>Sent: Wednesday, 19 April, 2006 8:30:00 AM
> > >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> > >>
> > >>
> > >>Hi,
> > >>
> > >>We have written a draft on extending ISIS to use HMAC-SHA
> > >>authentication. Would appreciate if we can get some feedback
> > >>from the WG. The mechanism proposed in the draft is backward
> > >>compatible and would work with the existing ISIS implementations.
> > >>
> > >>Cheers,
> > >>Manav
> > >>
> > >>----- Forwarded Message ----
> > >>From: Internet-Drafts@ietf.org
> > >>To: i-d-announce@ietf.org
> > >>Sent: Wednesday, April 19, 2006 4:20:01 AM
> > >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt
> > >>
> > >>A New Internet-Draft is available from the on-line
> > >>Internet-Drafts directories.
> > >>
> > >>    Title        : IS-IS HMAC SHA Cryptographic Authentication
> > >>    Author(s)    : M. Bhatia, V. Manral
> > >>    Filename    : draft-bhatia-manral-isis-hmac-sha-00.txt
> > >>    Pages        : 8
> > >>    Date        : 2006-4-18
> > >>
> > >>This document proposes an extension to IS-IS [ISO] [RFC1195]
> > >>to allow the use of HMAC SHA authentication algorithm in
> > >>addition to the already documented authentication schemes
> > >>described in the base specification and RFC 3567.
> > >>
> > >>A URL for this Internet-Draft is:
> > >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h
> > >>mac-sha-00.txt
> > >>
> > >>
> > >>
> > >>--
> > >>_______________________________________________
> > >>
> > >>Search for businesses by name, location, or phone number.
> > >>-Lycos Yellow Pages
> > >>
> > >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
> > >>om/default.asp?SRC=lycos10
> > >>
> > >>
> > >>_______________________________________________
> > >>Isis-wg mailing list
> > >>Isis-wg@ietf.org
> > >>https://www1.ietf.org/mailman/listinfo/isis-wg
> > >>
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Isis-wg mailing list
> > > Isis-wg@ietf.org
> > > https://www1.ietf.org/mailman/listinfo/isis-wg
> >
>
>
>
>_______________________________________________
>Isis-wg mailing list
>Isis-wg@ietf.org
>https://www1.ietf.org/mailman/listinfo/isis-wg

_______________________________________________
Isis-wg mailing list
Isis-wg@ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg

v2.23.0 | Report a Bug | By Email