RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
"Tony Li" <tli@tropos.com> Wed, 19 April 2006 20:16 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWJ5q-0005Uk-BB; Wed, 19 Apr 2006 16:16:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FWJ5o-0005US-MC for isis-wg@ietf.org; Wed, 19 Apr 2006 16:16:04 -0400
Received: from iceblock01.troposnetworks.com ([12.108.168.187] helo=iceblock01.tropos.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1FWJ5o-0005e2-6J for isis-wg@ietf.org; Wed, 19 Apr 2006 16:16:04 -0400
Received: (qmail 7786 invoked from network); 19 Apr 2006 20:12:59 -0000
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on iceblock01
X-Spam-Level:
X-Spam-Status: No, score=-104.3 required=6.0 tests=ALL_TRUSTED,AWL,BAYES_00, USER_IN_WHITELIST autolearn=ham version=3.1.0
Received: from ca-bay-exch-01.tropos.com (192.168.1.49) by iceblock01.tropos.com with SMTP; 19 Apr 2006 20:12:53 -0000
Received: from LIPC ([192.168.1.141]) by ca-bay-exch-01.tropos.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 19 Apr 2006 13:15:47 -0700
From: Tony Li <tli@tropos.com>
To: 'Hannes Gredler' <hannes@juniper.net>, tony.li@tony.li
Subject: RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
Date: Wed, 19 Apr 2006 13:15:54 -0700
Message-ID: <009801c663ee$0fb8bf90$4b7d14ac@tropos.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <4446972F.6040408@juniper.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Thread-Index: AcZj7CYkkgPoCKT1RNulB63yK70NIgAAHVzw
X-OriginalArrivalTime: 19 Apr 2006 20:15:47.0013 (UTC) FILETIME=[0B551750:01C663EE]
X-Antivirus: Scanned by Tropos Antivirus 1.0.4
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 0ff9c467ad7f19c2a6d058acd7faaec8
Cc: isis-wg@ietf.org
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: tony.li@tony.li
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/isis-wg>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
Errors-To: isis-wg-bounces@ietf.org
Hannes, I'm of the opinion that key rollover and algorithm rollover do not require actual additional protocol specification and that transmitting multiple TLVs is not necessary. For any form of rollover to work, a receiver must be prepared to accept multiple different combinations of password and algorithm. It does not seem like a substantial effort for the receiver to try all of the possibilities that it is configured for. Given this, one way to do smooth rollover is to go around and configure all nodes with the new password and/or algorithm. Once that's completed and in production, then nodes can be set to transmit the new password and/or algorithm. While 802.11's WEP is hardly a good example of this for security purposes, most implementations provide a fine example of how the UI for this would work: one key is used for transmit, while a list of keys is accepted. Regards, Tony P.s. Yes, I'm well aware that implementations do not currently support this behavior and will have to change. Including Juniper's. Sorry. ;-) > -----Original Message----- > From: Hannes Gredler [mailto:hannes@juniper.net] > Sent: Wednesday, April 19, 2006 1:02 PM > To: tony.li@tony.li > Cc: 'Sofia Ray'; isis-wg@ietf.org > Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > > furthermore, it would be also time to think about authentication-type > migration support. i.e. discuss about authentication-type > [simple->md5->sha] > and key rollover schemes and nail down the necessary behaviour > (multiple instances of TLV #10). > > the prevailing method for both authentication-type and key rollover > (= disabling authentication check during the transition window) > is not really smooth. > > /hannes > > Tony Li wrote: > > Sofia, > > > > While I know of no substantive risks to the use of MD5 > today as used in > > 3567, history suggests that someday, there will be. Thus, > having other > > algorithms available is only prudent and I strongly support > that goal. > > > > Regards, > > Tony > > > > > >>-----Original Message----- > >>From: Sofia Ray [mailto:sofia.ray@lycos.com] > >>Sent: Wednesday, April 19, 2006 11:04 AM > >>To: isis-wg@ietf.org > >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > >> > >>Manav, > >> > >>Whats wrong with the authentication scheme detailed in 3567? > >> > >>Yours, > >>Sofia > >> > >>----- Original Message ---- > >>From: Manav Bhatia <manav_bhatia06@yahoo.co.uk> > >>To: isis-wg@ietf.org > >>Sent: Wednesday, 19 April, 2006 8:30:00 AM > >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication > >> > >> > >>Hi, > >> > >>We have written a draft on extending ISIS to use HMAC-SHA > >>authentication. Would appreciate if we can get some feedback > >>from the WG. The mechanism proposed in the draft is backward > >>compatible and would work with the existing ISIS implementations. > >> > >>Cheers, > >>Manav > >> > >>----- Forwarded Message ---- > >>From: Internet-Drafts@ietf.org > >>To: i-d-announce@ietf.org > >>Sent: Wednesday, April 19, 2006 4:20:01 AM > >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt > >> > >>A New Internet-Draft is available from the on-line > >>Internet-Drafts directories. > >> > >> Title : IS-IS HMAC SHA Cryptographic Authentication > >> Author(s) : M. Bhatia, V. Manral > >> Filename : draft-bhatia-manral-isis-hmac-sha-00.txt > >> Pages : 8 > >> Date : 2006-4-18 > >> > >>This document proposes an extension to IS-IS [ISO] [RFC1195] > >>to allow the use of HMAC SHA authentication algorithm in > >>addition to the already documented authentication schemes > >>described in the base specification and RFC 3567. > >> > >>A URL for this Internet-Draft is: > >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h > >>mac-sha-00.txt > >> > >> > >> > >>-- > >>_______________________________________________ > >> > >>Search for businesses by name, location, or phone number. > >>-Lycos Yellow Pages > >> > >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c > >>om/default.asp?SRC=lycos10 > >> > >> > >>_______________________________________________ > >>Isis-wg mailing list > >>Isis-wg@ietf.org > >>https://www1.ietf.org/mailman/listinfo/isis-wg > >> > > > > > > > > > > _______________________________________________ > > Isis-wg mailing list > > Isis-wg@ietf.org > > https://www1.ietf.org/mailman/listinfo/isis-wg > _______________________________________________ Isis-wg mailing list Isis-wg@ietf.org https://www1.ietf.org/mailman/listinfo/isis-wg
- [Isis-wg] IS-IS HMAC SHA Cryptographic Authentica… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Sofia Ray
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… mike shand
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tony Li
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Vishwas Manral
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Tom Sanders
- RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Hannes Gredler
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Manav Bhatia
- Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authen… Abhishek Verma