Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain

Abhinay R <abhinay.is2006@gmail.com> Mon, 08 March 2021 08:44 UTC

Return-Path: <abhinay.is2006@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A68A13A27E7 for <lsr@ietfa.amsl.com>; Mon, 8 Mar 2021 00:44:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qD_Nh5fpdwC7 for <lsr@ietfa.amsl.com>; Mon, 8 Mar 2021 00:44:15 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 400903A27E6 for <lsr@ietf.org>; Mon, 8 Mar 2021 00:44:15 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id g185so8515841qkf.6 for <lsr@ietf.org>; Mon, 08 Mar 2021 00:44:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=q+HahHAU6MN18Avl3WejNWRS2FOiaIN2tB3usUGLlZE=; b=U+RNg3SLPYc9XiE7lh6XYBHL40yle9lq5inCTKozNwq50Zu5kh89TFyfDLdIBd12TI KV2kr1DDMa/FGHhjyWS9osxMbh+3C3z8bbv8nB7GYOIAdzm6qRNxG9zHVlL8UrJesnz7 kqO1CnrMSob27NeYYpNlfR44YyePp9tM3NVPOKmyFwy3PTYMm1mDjiXzJeG+4Wzo6Cde 4JML/b5vMrX6dZ/bLlYA5I1QBZHow2nts8LAwHW/cHGfxD6xfXM8btINyhd+OHm/V/bw AgLaIvgnQodEsEAeXtCife/STLj8PHstbOGu+rLwskuG0xnHWYcGHRdVg5T/WKB4H5GE FyHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=q+HahHAU6MN18Avl3WejNWRS2FOiaIN2tB3usUGLlZE=; b=MBiz4BSfMD2F+lcQFYz8qOgQncDDaBA+tu/fIi/KmLAoLbDOpDmRWiJiooJH3Po6en EhOXVzXuevEzo39qKnjSFlLKyVmmDf13HIzRF4HEgLybbctTD5Bnt0/tt0MqAHmmi6fR b6Qc+Cv2ythT2OH0yZWliHXd6cU5w4EXJaqKWfBt48MXPrRObX4nQMJ5YnQcbK9wVUZp EY/J31bfjKDTRVHNHF8Vf/oRKaR5ieIzM3QFq3Sm0os2oEgYGIZXq2ggUJhocldWwUlW 4uV+jEu9SN8RUXfpSgr9X/gdf6h/3hdbgY6cB4QVSaO9oDrwe6PnMSgj4j4D2GTzgunU j8gQ==
X-Gm-Message-State: AOAM533sngkVxqY6otK/k6bxjQhBRf4IvvKOYQ399n0VNZCd1ouukfEO 5E6DP3+A2SiIV9+48uBOo6P6ioDZYK5K0+Dmm0OX4Ck=
X-Google-Smtp-Source: ABdhPJwj2W/LwwlcfHPZ1GhzodjLR6Ds/vd5fRJ07EPoNv20Zq39rCkKO9QRBsoSy+E9XbCtvbIxwMX0usJzu+740jA=
X-Received: by 2002:a37:86c6:: with SMTP id i189mr20285644qkd.455.1615193053199; Mon, 08 Mar 2021 00:44:13 -0800 (PST)
MIME-Version: 1.0
References: <DB7PR07MB4507100A11FE9BF46590F0C7BB939@DB7PR07MB4507.eurprd07.prod.outlook.com>
In-Reply-To: <DB7PR07MB4507100A11FE9BF46590F0C7BB939@DB7PR07MB4507.eurprd07.prod.outlook.com>
From: Abhinay R <abhinay.is2006@gmail.com>
Date: Mon, 8 Mar 2021 14:14:02 +0530
Message-ID: <CAHUNbhZQaKjdF_KTHHQm-FL2s7Ja3qZ7Cgw-KnrPAh0qFZ8SxQ@mail.gmail.com>
To: Veerendranatha Reddy V <veerendranatha.reddy.v=40ericsson.com@dmarc.ietf.org>
Cc: "lsr@ietf.org" <lsr@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/6rO3Tc3fRgR2p2qXS8ZTrmxjWAM>
Subject: Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 08:44:17 -0000

Hi Veeru,
        Is there a need to have the same behaviour? When we had to
implement it I remember we followed rule 1 for OSPFv3, but we
triggered a trap message before doing so.

Thanks & Regards,
Abhinay R

On Mon, Mar 8, 2021 at 9:00 AM Veerendranatha Reddy V
<veerendranatha.reddy.v=40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi All,
>
> As per OSPF authentication RFCs , during last key expired/inactive key  of key chain the behavior of authentication process is different between OSPFv2/v3
>
>
>
> For OSPFv2 from RFC 5709,
>
>       [ From Section 3.2]
>
>    Key storage SHOULD persist across a system restart, warm or cold, to
>
>    avoid operational issues.  In the event that the last key associated
>
>    with an interface expires, it is unacceptable to revert to an
>
>    unauthenticated condition, and not advisable to disrupt routing.
>
>    Therefore, the router should send a "last Authentication Key
>
>    expiration" notification to the network manager and treat the key as
>
>    having an infinite lifetime until the lifetime is extended, the key
>
>    is deleted by network management, or a new key is configured.
>
>
>
> For OSPFv3 from RFC7166,
>
>              [From  Section 3]
>
>       Key storage SHOULD persist across a system restart, warm or cold,
>
>       to avoid operational issues.  In the event that the last key
>
>       associated with an interface expires, the network operator SHOULD
>
>       be notified, and the OSPFv3 packet MUST NOT be transmitted
>
>       unauthenticated.
>
>
>
> For new implementation for these RFCs, I am requesting to provide the suggested behavior.
>
> Sending side:
>
> Should not send the packet until valid key configured on key chain.
> Packet send without authentication.
> Packet send with the last expired authentication key.
>
>
>
> Receiving side:
>
> Ignore the packets until valid key configured on key chain.
> Accept the packets without authentication.
> Accept the packets matches  the last expired key.
>
>
>
>
>
> Thanks & Regards,
>
> Veerendranath
>
> _______________________________________________
> Lsr mailing list
> Lsr@ietf.org
> https://www.ietf.org/mailman/listinfo/lsr



-- 
~♥~♫AbHiNaY♫~♥~∞