RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
mike shand <mshand@cisco.com> Thu, 20 April 2006 06:49 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWSz3-0006S0-Tv; Thu, 20 Apr 2006 02:49:45 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWSz2-0006Rv-5G for isis-wg@ietf.org; Thu, 20 Apr 2006 02:49:44 -0400
Received: from ams-iport-1.cisco.com ([144.254.224.140]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FWSyy-0003gh-AL for isis-wg@ietf.org; Thu, 20 Apr 2006 02:49:43 -0400
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 20 Apr 2006 08:49:40 +0200
Received: from cisco.com (mrwint.cisco.com [64.103.71.48]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k3K6ncUE014304; Thu, 20 Apr 2006 08:49:38 +0200 (MEST)
Received: from mshand-wxp.cisco.com (ams3-vpn-dhcp4195.cisco.com [10.61.80.98]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id HAA14102; Thu, 20 Apr 2006 07:49:37 +0100 (BST)
Message-Id: <7.0.1.0.0.20060420074715.03c42cc8@cisco.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Thu, 20 Apr 2006 07:49:35 +0100
To: tony.li@tony.li
From: mike shand <mshand@cisco.com>
Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
In-Reply-To: <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
References: <4446972F.6040408@juniper.net> <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ba8aaf827dcb437101951262f69b3de
Cc: 'Hannes Gredler' <hannes@juniper.net>, tony.li@tony.li, isis-wg@ietf.org
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org
At 21:15 19/04/2006, Tony Li wrote: > >Hannes, > >I'm of the opinion that key rollover and algorithm rollover do not >require actual additional protocol specification and that transmitting >multiple TLVs is not necessary. For any form of rollover to work, a >receiver must be prepared to accept multiple different combinations of >password and algorithm. It does not seem like a substantial effort for >the receiver to try all of the possibilities that it is configured for. Absolutely. That was the way it was designed to work in the original form with non-cryptographic passwords (multiple receive passwords could be specified to allow migration), and I don't see why the same principle shouldn't apply to algorithm migration. Mike >Given this, one way to do smooth rollover is to go around and configure >all nodes with the new password and/or algorithm. Once that's completed >and in production, then nodes can be set to transmit the new password >and/or algorithm. > >While 802.11's WEP is hardly a good example of this for security >purposes, most implementations provide a fine example of how the UI for >this would work: one key is used for transmit, while a list of keys is >accepted. > >Regards, >Tony > >P.s. Yes, I'm well aware that implementations do not currently support >this behavior and will have to change. Including Juniper's. Sorry. >;-) > > > > -----Original Message----- > > From: Hannes Gredler [mailto:hannes@juniper.net] > > Sent: Wednesday, April 19, 2006 1:02 PM > > To: tony.li@tony.li > > Cc: 'Sofia Ray'; isis-wg@ietf.org > > Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > > > > furthermore, it would be also time to think about authentication-type > > migration support. i.e. discuss about authentication-type > > [simple->md5->sha] > > and key rollover schemes and nail down the necessary behaviour > > (multiple instances of TLV #10). > > > > the prevailing method for both authentication-type and key rollover > > (= disabling authentication check during the transition window) > > is not really smooth. > > > > /hannes > > > > Tony Li wrote: > > > Sofia, > > > > > > While I know of no substantive risks to the use of MD5 > > today as used in > > > 3567, history suggests that someday, there will be. Thus, > > having other > > > algorithms available is only prudent and I strongly support > > that goal. > > > > > > Regards, > > > Tony > > > > > > > > >>-----Original Message----- > > >>From: Sofia Ray [mailto:sofia.ray@lycos.com] > > >>Sent: Wednesday, April 19, 2006 11:04 AM > > >>To: isis-wg@ietf.org > > >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > > >> > > >>Manav, > > >> > > >>Whats wrong with the authentication scheme detailed in 3567? > > >> > > >>Yours, > > >>Sofia > > >> > > >>----- Original Message ---- > > >>From: Manav Bhatia <manav_bhatia06@yahoo.co.uk> > > >>To: isis-wg@ietf.org > > >>Sent: Wednesday, 19 April, 2006 8:30:00 AM > > >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > > >> > > >> > > >>Hi, > > >> > > >>We have written a draft on extending ISIS to use HMAC-SHA > > >>authentication. Would appreciate if we can get some feedback > > >>from the WG. The mechanism proposed in the draft is backward > > >>compatible and would work with the existing ISIS implementations. > > >> > > >>Cheers, > > >>Manav > > >> > > >>----- Forwarded Message ---- > > >>From: Internet-Drafts@ietf.org > > >>To: i-d-announce@ietf.org > > >>Sent: Wednesday, April 19, 2006 4:20:01 AM > > >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt > > >> > > >>A New Internet-Draft is available from the on-line > > >>Internet-Drafts directories. > > >> > > >> Title : IS-IS HMAC SHA Cryptographic Authentication > > >> Author(s) : M. Bhatia, V. Manral > > >> Filename : draft-bhatia-manral-isis-hmac-sha-00.txt > > >> Pages : 8 > > >> Date : 2006-4-18 > > >> > > >>This document proposes an extension to IS-IS [ISO] [RFC1195] > > >>to allow the use of HMAC SHA authentication algorithm in > > >>addition to the already documented authentication schemes > > >>described in the base specification and RFC 3567. > > >> > > >>A URL for this Internet-Draft is: > > >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h > > >>mac-sha-00.txt > > >> > > >> > > >> > > >>-- > > >>_______________________________________________ > > >> > > >>Search for businesses by name, location, or phone number. > > >>-Lycos Yellow Pages > > >> > > >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c > > >>om/default.asp?SRC=lycos10 > > >> > > >> > > >>_______________________________________________ > > >>Isis-wg mailing list > > >>Isis-wg@ietf.org > > >>https://www1.ietf.org/mailman/listinfo/isis-wg > > >> > > > > > > > > > > > > > > > _______________________________________________ > > > Isis-wg mailing list > > > Isis-wg@ietf.org > > > https://www1.ietf.org/mailman/listinfo/isis-wg > > > > > >_______________________________________________ >Isis-wg mailing list >Isis-wg@ietf.org >https://www1.ietf.org/mailman/listinfo/isis-wg _______________________________________________ Isis-wg mailing list Isis-wg@ietf.org https://www1.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] IS-IS HMAC SHA Cryptographic Authentica… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Sofia Ray
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… mike shand
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Vishwas Manral
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tom Sanders
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Abhishek Verma