IETF Logo Mail Archive

[Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain

Veerendranatha Reddy V <veerendranatha.reddy.v@ericsson.com> Mon, 08 March 2021 03:30 UTC

Return-Path: <veerendranatha.reddy.v@ericsson.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3573A2334 for <lsr@ietfa.amsl.com>; Sun, 7 Mar 2021 19:30:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8IdcoxqdsVKO for <lsr@ietfa.amsl.com>; Sun, 7 Mar 2021 19:30:20 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80088.outbound.protection.outlook.com [40.107.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B4A93A2333 for <lsr@ietf.org>; Sun, 7 Mar 2021 19:30:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C4mWs5sbGLnAVtsrLo4Kw8Qai7FU0ONzQKnuWDzY8gPpoqP+SeRSdbTVS5FzFvmc7pbMAQG5I9003wc63OEsgY2Kvreg2FbBKZe+gh6rSiLLOf2SUVgBz1JoMZ0BMXsigSAf989xfsadmnhuZNJU2dBuAKxGr/bgrC9F79yzPhZ2BawVodM5YSgoGU4QZ4FUEwJxTQF2vmRl/OSwQGhNT5urvHAWn2TIwPshX7h1CGavczr5HZrMHMMTJJu5bMEk58jxoIothaVfVn9jNkw/ILL5Hx1VtVopewboubOdYJChGF4658euXRIQCECEV6QBay8VULr+wgtLT+m8YVBzjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CK0EPsIG0BeOxxcf5+29nawZoTcNfIvUm1afgdHA1gw=; b=Cv57mKPAs5XVDRZTALOpdl1pToznpwZ0nDebPERo6A1KT7DbvgRa9XXSda4zGtW/XxTqTfstLlGck6JWxQqP8HCqDMFvpO74FT6GuAzvZ9BilnTpLFtgdhYoNcYcKm1a1zQM47kVp5GsX3PIqd94gLvbdGofhZ+UkYs2YIrNNAsntM+X52cDlg7jVw3+sCmsejqqxnW72EQLEszsRdouIAkspcSrzP966eSecdm9L6myJV+stECamnwSQqcFG13tpe5EydRaq5sBF2KoRMWyaUP+he1dkuWrOFc1lbRPAbWoUUm5PeQZAMG62gSsppW27shxfAJVYqNW1Qv/wpQzeg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CK0EPsIG0BeOxxcf5+29nawZoTcNfIvUm1afgdHA1gw=; b=JHDIHIEqL/2p6xdMwNpY3Znr3jNtZLgc0dWdsla/QHKX6SkJAzyPE/mRA/NK5JfM/V/iDWvN1/wXslln/Khj2X3oGeqfLzbX3vZPiBfqt1lU1/Y3B2+u2B6kJigBIlo1RUSXhGJ2SRyVyKdqGi3RAgNIUyWeoe3OZcG8s3QOCkI=
Received: from DB7PR07MB4507.eurprd07.prod.outlook.com (2603:10a6:5:38::16) by DB7PR07MB5449.eurprd07.prod.outlook.com (2603:10a6:10:75::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.11; Mon, 8 Mar 2021 03:30:15 +0000
Received: from DB7PR07MB4507.eurprd07.prod.outlook.com ([fe80::f5de:9851:477f:914a]) by DB7PR07MB4507.eurprd07.prod.outlook.com ([fe80::f5de:9851:477f:914a%4]) with mapi id 15.20.3890.037; Mon, 8 Mar 2021 03:30:15 +0000
From: Veerendranatha Reddy V <veerendranatha.reddy.v@ericsson.com>
To: "lsr@ietf.org" <lsr@ietf.org>
Thread-Topic: [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain
Thread-Index: AdcTy1f4Ckn/JIUFRjOBM0qZv9O0aQ==
Date: Mon, 08 Mar 2021 03:30:15 +0000
Message-ID: <DB7PR07MB4507100A11FE9BF46590F0C7BB939@DB7PR07MB4507.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [27.59.205.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 23c59760-57c5-4d7d-c27c-08d8e1e27d2a
x-ms-traffictypediagnostic: DB7PR07MB5449:
x-microsoft-antispam-prvs: <DB7PR07MB5449ED4BA26061B816EC1832BB939@DB7PR07MB5449.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vljeB92idGzpkxdc+ZV4a+KOVNpNpY8nXQJ3KcdYZzlZQ+WXWjowARXz0dtdotnV14eTOyH+0K/862RN1XAxNfL6jCasS8aDS1u+ZR/ADxnOKIoqaJRSH1lkeU0G0PEUSJpf8eQfic7a94kudqIspHfgGr6xkNgH2oYWmZIM/jYXxF2+QmQsR5gg1KBLkWVFM4AGarA+VWQwp9Qpqz8wZYX/F4vGjpiP0I7XknySyRSr6sw3sztk2MHTF+fx9UFtxhNOyKdN9lkcQtQMo10SxJrl26seQMM7jfHHsCO6pTMpDGf5uA8fU6tznuC0lwdbcD/595S/DZEIYa15DuLX0qseuBOUFpAfCYYHdteXPC8raElfEF8yUIewuOTZHKOfOLdTJfe++8CDzS0nqKQvlDkA+Yna44iGYVXggcq2+zA+gyKFDwroTOZqnYlSZY6hfCIH872SmbVBq6w7woBqroznHS3cxSJr/vP/w6/2BAzXtzWRAQjsqGtNxo/eRdTs40aAeSFQiCQwHgCHR4DEeQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB4507.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(346002)(376002)(136003)(39860400002)(478600001)(64756008)(2906002)(66556008)(76116006)(66946007)(66446008)(8936002)(316002)(66476007)(6916009)(71200400001)(8676002)(186003)(83380400001)(26005)(66574015)(6506007)(7696005)(86362001)(5660300002)(52536014)(33656002)(9326002)(55016002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jlACeASoMrSW+3Es2TtUhkm0Vc3b4b3uIH12/LG6sWFk+V/de8GMxlaMrvEO7s8p51CFiogHo7c1MGb6zVaM937fpUfVSderDVPOBMVtMqVL9X4hyitlyes/U0OcihE54z/b4/CHTwFdSDMlE/0CCwnUQNXbHSBx/i80iKZd301AgXVWJXpwRiJmtLQRQuFVfkCkM90b3EOookVHeTVhQUlWGYeWG+ZF/M0kiWTUwy1Zzon0vD7Ntl9Hg8ePZvBSLlGpCHBlYszRS6/tbQPzRQREB76+QageF21efVLPXmWm6rE7wAngPBlBi47YiECR7bbJ1IC6ZBNfUjaeNLv+vmZ4qyhGYr9N33po5P2bc75UuWTd6LgyMsbTW6UFTDx14RnIoYuHNjKVMz0U94cbk2wtPpU/M81ANh42fnaS0mH/RIvVjre/F/zXU9EeDiaFYAN6ZkqZxBDO2SWp21DoCzK6k01VRLaaec4q3xe4LIWhRYpMsO3FOGeSUyqm9MvkjnfqQ5lUE8YqHpybd2g9wGHnMvAGk0z/4hL0KtM+2HmbBkdAPj6FzunCuQDEwys+AbUw55H5T1ylftfPacIihNxnY5dH93sZhdF7gFKKxxPgUSx4YCNloc0aqgd95m4QRcjLKOUF6JpJeJ6tAKUxtVxPgt9zcnnAWvpERIaQUxVCq2hTqIT8ZykHlzzvq4/u1bjNhtiSqejePLVlJY7dPranKP+5gJZobrU4X6QklV/BgXk98P+EBimttwdk506Xs+ubdFiMz+ccwU1auZs1n7t+outy+pwd13+Rl5wdy1posbWIaMeeyjh6PImKrvJjG4Pt5bTyVDAi0j24LR3bUuhC4/0MKv8HTXd3tqEXm9EGwzQ9IJ01Odk9yfR7JM9m063UhIs23djKjH+Ng0zRkEkzZwiIjOC3iiPS6fWj995/CQiORRkIyYQ8AsS8vWtaTWEAffgq9UWPM+UVzhNYp5J6I1DEKsZ4XcyMgCHR6FP6pKOW0fbYHbErz/uPb8JT60m8zugmNF7rNDnkVtsiRFM6im9EnRzW3LxUzjz8szPu+V1mbZ/ISjskLk1JRj1gyeUhtregU1HBafHhkh6s18NIRXFK0wLLEwrb8JROtJhD8NR8McUdwCr6GbSIwlE/w8anONIDws8TbUgEsghj5ujUGBXAzdAhvw1TrtPWCDsbqS6XbEAOH9FNOgmlADyQvGUr1SVWG0QOu3PTetZuscl6wGvN/1pup2a9wLR7cWisamTVBwndt8VMy01TsjNcdeazSqJU/8jN9eYzJwh/8XEYoFo8FjNepkynX7Prau0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB7PR07MB4507100A11FE9BF46590F0C7BB939DB7PR07MB4507eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB7PR07MB4507.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 23c59760-57c5-4d7d-c27c-08d8e1e27d2a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2021 03:30:15.1198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OHmM2Ok3RuupaA8d5Fm7jFjZfLLuxhw7l9DAqtTiAQAFKwFn0wpxE2I5UUeWFZHr1pNsfEIJG6T4Qqs5PEz77fJauD5pOi43wfwQhehDjplDrbv91v0oWqHcq7EbRpb+
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5449
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/uNll2bnUX4zUF2LfhBcBhuhE_rQ>
Subject: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 03:30:22 -0000

Hi All,
As per OSPF authentication RFCs , during last key expired/inactive key  of key chain the behavior of authentication process is different between OSPFv2/v3

For OSPFv2 from RFC 5709,
      [ From Section 3.2]
   Key storage SHOULD persist across a system restart, warm or cold, to
   avoid operational issues.  In the event that the last key associated
   with an interface expires, it is unacceptable to revert to an
   unauthenticated condition, and not advisable to disrupt routing.
   Therefore, the router should send a "last Authentication Key
   expiration" notification to the network manager and treat the key as
   having an infinite lifetime until the lifetime is extended, the key
   is deleted by network management, or a new key is configured.

For OSPFv3 from RFC7166,
             [From  Section 3]

      Key storage SHOULD persist across a system restart, warm or cold,

      to avoid operational issues.  In the event that the last key

      associated with an interface expires, the network operator SHOULD

      be notified, and the OSPFv3 packet MUST NOT be transmitted

      unauthenticated.

For new implementation for these RFCs, I am requesting to provide the suggested behavior.
Sending side:

  1.  Should not send the packet until valid key configured on key chain.
  2.  Packet send without authentication.
  3.  Packet send with the last expired authentication key.

Receiving side:

  1.  Ignore the packets until valid key configured on key chain.
  2.  Accept the packets without authentication.
  3.  Accept the packets matches  the last expired key.


Thanks & Regards,
Veerendranath

v2.23.0 | Report a Bug | By Email