Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain

Veerendranatha Reddy V <veerendranatha.reddy.v@ericsson.com> Tue, 09 March 2021 03:45 UTC

Return-Path: <veerendranatha.reddy.v@ericsson.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB9EA3A0D6B for <lsr@ietfa.amsl.com>; Mon, 8 Mar 2021 19:45:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.35
X-Spam-Level:
X-Spam-Status: No, score=-2.35 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Few_gsuFoLM9 for <lsr@ietfa.amsl.com>; Mon, 8 Mar 2021 19:45:42 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84CF23A0D69 for <lsr@ietf.org>; Mon, 8 Mar 2021 19:45:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IgkXn2FFDPbq+SuLimHcyezeF48KTCvX6DDMnrKSeKuSXFDnYeVJmDv8YY9iTSeB33IAX8831UHB6/RhcIcr4S7OEVTIOeyK8Z9El9sFcf0MCPem5JlPhSHGm3SiSKXWHNJLX57v2KtvYLcXYfd+dYpaYt4m6h5qf5QvJdTZUmsu2D/liyWbwpH43zZ3kuNGIJDHJ27hiNuul/fbW77lY0mP1m7YNGD7azgiuBCWvUGBJu+TOuVCGPLFHF9UiyPHCKk8rYrRBswVOcZPFXCNr0vjCCg2x97CF0qC3DZVwUhxpJfwRdcTu0mOxR1NIJPKuUXOi1Kw0jP2tu1OVV2YYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0sd7E8z3l6PfFpmbaEuwfYUhIXC4bXjv7V3JrmiroeY=; b=jR9Rd51Aula5IgF2bhcNNZaKnTpAfi2df4244Tr1icXOVYB65Ugx26S4tgPgwKRfXBf94/rSLSJI8WtRXB52QZDWUrzDDdJyxUX70PK5pljOW9diARvJQLi8dMw3zNZxuhi7LJO54LilMcRM+8FqRD9V5vY0+YYSD5MMoV1CPEfcw/f/g55sJHgcwLYVw8fStutFodTmd8x72wumgcVnWyi/PqZ5Vu3vaAys5z7lAwR7MrAuIqpzHHdQDX+SPre21jRVAlOprJznwxqwwHQTkKVPv1e3Dcgt24H+Sk4fIqWEojJ0PRH/NVEKmKcurysQ2BuH2E5bGdbgpa249+D2CQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0sd7E8z3l6PfFpmbaEuwfYUhIXC4bXjv7V3JrmiroeY=; b=vY6GFRzCFZDysrr/DhNhCIlgIGlWpUtkT+A0TdNnwaR8LepTQFQXyQXEiNXp8FEQ0K5T3n6SYunhv8xcRYNlUxYFtjsLnC+9kJusxCkhVYVlQTAvwASEO3c1u3M5rX8rX7t400p7/RKZaqLRQ7Bm1RLpYaimXPh+LBQSHgaecio=
Received: from AM0PR07MB4498.eurprd07.prod.outlook.com (2603:10a6:208:6d::32) by AM0PR07MB4641.eurprd07.prod.outlook.com (2603:10a6:208:79::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.11; Tue, 9 Mar 2021 03:45:36 +0000
Received: from AM0PR07MB4498.eurprd07.prod.outlook.com ([fe80::f829:b24a:4555:d2c5]) by AM0PR07MB4498.eurprd07.prod.outlook.com ([fe80::f829:b24a:4555:d2c5%3]) with mapi id 15.20.3933.029; Tue, 9 Mar 2021 03:45:36 +0000
From: Veerendranatha Reddy V <veerendranatha.reddy.v@ericsson.com>
To: Abhinay R <abhinay.is2006@gmail.com>, Veerendranatha Reddy V <veerendranatha.reddy.v=40ericsson.com@dmarc.ietf.org>
CC: "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain
Thread-Index: AQHXE/dG3T+Z2iebAEuzZwV+jbCGtap7AuVA
Date: Tue, 09 Mar 2021 03:45:35 +0000
Message-ID: <AM0PR07MB4498442C190BE123247C6EFDBB929@AM0PR07MB4498.eurprd07.prod.outlook.com>
References: <DB7PR07MB4507100A11FE9BF46590F0C7BB939@DB7PR07MB4507.eurprd07.prod.outlook.com> <CAHUNbhZQaKjdF_KTHHQm-FL2s7Ja3qZ7Cgw-KnrPAh0qFZ8SxQ@mail.gmail.com>
In-Reply-To: <CAHUNbhZQaKjdF_KTHHQm-FL2s7Ja3qZ7Cgw-KnrPAh0qFZ8SxQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [103.206.115.3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a54caa9d-bd36-46ec-b0a3-08d8e2adcc8b
x-ms-traffictypediagnostic: AM0PR07MB4641:
x-microsoft-antispam-prvs: <AM0PR07MB4641831E773A92464615934EBB929@AM0PR07MB4641.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kMzBynSrUaleSvRMcnAEZ5IdzYGjcl4dTN1f2+2GmvNxYF8IMTzq85YBt2C87lWW7HPS5kwTF6uT3YFyPPeXmSv3gMFzaKVo2S+VWKGF2r8Pxh+pMli6Ae3mVJZf3dh4rDzxeoYCzkgmvztolhujxByMIz+9lcyXT8qG7z2lV+ALIO7mnJNDXnUP6JpIdyBmBSv/8WT8xhfGWgq04e1RlAlDi6/RMtK/KOMYjVkrxqcg5KVu6j437SyKUdaGrln3yG5xncudPf4QA19w2Pw/1maMRnbHB1Ftyo0ufaqCS/ic1OW06/N3PBzeB43cMeRtRWZf7sYFfiHiEuKW80r8sQQsNk7Fkc5Fu3LK150fICp0Oy6nQ6c7TPtGVSB8/NXBec+If2LFpcu1GfPmZw1/hyymxAEdLBK8vFbuVbl6Zqh/Rb6eUiXL/d8HcNkmTPgQpggb1GQbsckpKgMULzy/PSLaavamK4tIQ1Nh/Y4kVjwUq+3tcLSUNFl5+WT0SOoALKfE8SpDHeYt2yISb6o1FAiWjMylX2AqbH+DjvyK6uRPDH33Vmbe7klcIoglk2mEtBIndtP1Awi/Ua2S8bmgufncaKUe8mh/pLZ+IZYOBOU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB4498.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(366004)(39860400002)(376002)(186003)(2906002)(76116006)(6506007)(8676002)(86362001)(316002)(478600001)(26005)(83380400001)(66446008)(53546011)(966005)(110136005)(64756008)(9686003)(66574015)(52536014)(7696005)(5660300002)(4326008)(66556008)(8936002)(66476007)(33656002)(71200400001)(66946007)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: F0/T1J09+g7Ueh60pezfmtFozqjaKwDMpw7voZL2VbDIWMAb5B50vgQll86ZqngrT9D2WXDpr9kRaEPz02XHahdPRhCappikStVHhy8AS7+ZvEat+vOKKCb4eYdpzmNBUK4X9HUa19jOVWNHEqNyddcJOtGQ12YJl8G9epNeO1jUUIY35fDl/o7XbLZ8FPZT+Y1iEsRoLX83jvZ84RF3OEmMKmBMFEhKLYhzeBi0RcPGrtnlmKBmcoaGr//Wlo5Cb0EJR1fhuZFLrpe8xPVLQC3yzrmSmDOljSPE1ljpAOIfgiZpHcvUrHCF5iGv6thz2Fi/xueB6aAvkpsRP5nGOsrcZr25by3N2uSJw0tZHFJjW2zHJ1iUp//w6seLPwac0DSYNJ5OcnkgjKSwlSV77eZP6h/20U5+3JP2yXUzREx54JnyRSYTrACKXDnTAVkbBjNX+aJ+S5gn0Cq36tH3Zw4BHXcHzjm/03ThWkTB3aAQxByPWHE8/B2K7jgvtlx9RwbxlHvLGQojyVWchW/7uRDvFxSt7aMmmoEMNmYPhhlRlUy4Mis6lN5OFOmcwVxOceNOzjCnVd4YtEdwKVcruHLW/i9gymT/TvNoRtuQC1EzaKPOoqnh69hpf/pQ5/ienWi5+WU2neejZW+CHYoMsYxl7YMAalSo3TDARPZs7c5xilc6iwule+tDLg29RSLVIrFIkJ2AwPHWct4iZR1yVzcPB2DaFf/Q5KFo337XhKOERTgI86aXXcDPdVfc1dzZl4wpgoEKX5nSb+226hRAn2TwFcrGSlWquDx5Vf6NuWPmFcAnSCQaA4n0m+odeR/GzBV6RgoM36nsnDYIMyIpVmdA9OzmKG63K+i3FcFdy0B7QHpDnEYhiouH9eO5N6g657VrxgI8y3M7Lp5OFB4mXEPMhulvP71zqqUL33dDX51qI/0JiGb2flcoEGtqyOZy8yjGt7L8JSuHElmujHjXiFX6GtyLjT1669AyKayRIYXkjJNJ5urZkVzMyYP1gLxjNPo1v7/qBQ1JxZGnDruI3pN9THREqPcgqrGx0X1gS3xyVn3lq2R7DETSXyhaR8hEdfFnq6aEuY0s5PXIXDpASQyPNMUlvLwwth0tE46uCfKkVtUYOqwy+JPejF1zqFxlLWynuZFcFAm3Zkb5nen0ZY79Jgb3407hMs/21jnuALFBsvCCg181kF3aragRKpn5wHGxYCKDaAzwq0uyYUHCQl7epfbRbANNng5mkrcp4v6lwmZSTNU7AHfYad2wP77oMDSYnurbO8/pStx3m/SHKUwiOs75b0WjpzLiVHtmXju7biuODe7JbxHER7/BBQ68
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB4498.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a54caa9d-bd36-46ec-b0a3-08d8e2adcc8b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2021 03:45:36.0264 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RWhb5TspH7pnG7VWEtNTCm4dicEa93ia8YyVASqniOBlECIqAs+NdhT6kFWvPivH+june7DYMXO3K4L8krHPsKoJXp/fXhgJ/CYRFk+QM5QUdYRnF8czGuBO9fPS0SYh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4641
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/NfBF0HzNafRNSvCaJj2nrJGq40c>
Subject: Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2021 03:45:44 -0000

Hi Abhinay,
OSPFv3 authentication trailer RFC (RFC7166) is newer RFC than OSPFv2 HMAC authentication (RFC5709), and 
in  RFC 7166, in section 1.2.  Summary of Changes from RFC 6506 ,

2. Section 3 previously recommended usage of an expired key for
      transmitted OSPFv3 packets when no valid keys existed.  This
      statement has been removed.

So, as per this RFC, my understanding is , it is not recommended to use expired key for authentication. 
We are planning to support HMAC for both OSPFv2/v3, we thought if we keep consistent behavior for both will be helpful.

Thanks & Regards,
Veerendranath


-----Original Message-----
From: Lsr <lsr-bounces@ietf.org> On Behalf Of Abhinay R
Sent: Monday, March 8, 2021 2:14 PM
To: Veerendranatha Reddy V <veerendranatha.reddy.v=40ericsson.com@dmarc.ietf.org>
Cc: lsr@ietf.org
Subject: Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain

Hi Veeru,
        Is there a need to have the same behaviour? When we had to implement it I remember we followed rule 1 for OSPFv3, but we triggered a trap message before doing so.

Thanks & Regards,
Abhinay R

On Mon, Mar 8, 2021 at 9:00 AM Veerendranatha Reddy V <veerendranatha.reddy.v=40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi All,
>
> As per OSPF authentication RFCs , during last key expired/inactive key  
> of key chain the behavior of authentication process is different 
> between OSPFv2/v3
>
>
>
> For OSPFv2 from RFC 5709,
>
>       [ From Section 3.2]
>
>    Key storage SHOULD persist across a system restart, warm or cold, 
> to
>
>    avoid operational issues.  In the event that the last key 
> associated
>
>    with an interface expires, it is unacceptable to revert to an
>
>    unauthenticated condition, and not advisable to disrupt routing.
>
>    Therefore, the router should send a "last Authentication Key
>
>    expiration" notification to the network manager and treat the key 
> as
>
>    having an infinite lifetime until the lifetime is extended, the key
>
>    is deleted by network management, or a new key is configured.
>
>
>
> For OSPFv3 from RFC7166,
>
>              [From  Section 3]
>
>       Key storage SHOULD persist across a system restart, warm or 
> cold,
>
>       to avoid operational issues.  In the event that the last key
>
>       associated with an interface expires, the network operator 
> SHOULD
>
>       be notified, and the OSPFv3 packet MUST NOT be transmitted
>
>       unauthenticated.
>
>
>
> For new implementation for these RFCs, I am requesting to provide the suggested behavior.
>
> Sending side:
>
> Should not send the packet until valid key configured on key chain.
> Packet send without authentication.
> Packet send with the last expired authentication key.
>
>
>
> Receiving side:
>
> Ignore the packets until valid key configured on key chain.
> Accept the packets without authentication.
> Accept the packets matches  the last expired key.
>
>
>
>
>
> Thanks & Regards,
>
> Veerendranath
>
> _______________________________________________
> Lsr mailing list
> Lsr@ietf.org
> https://www.ietf.org/mailman/listinfo/lsr



--
~♥~♫AbHiNaY♫~♥~∞

_______________________________________________
Lsr mailing list
Lsr@ietf.org
https://www.ietf.org/mailman/listinfo/lsr