IETF Logo Mail Archive

[manet] Security documents for OLSRv2/NHDP

Ulrich Herberg <ulrich@herberg.name> Fri, 15 March 2013 17:51 UTC

Return-Path: <ulrich@herberg.name>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC8A21F8921 for <manet@ietfa.amsl.com>; Fri, 15 Mar 2013 10:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEEhuSkdL9Fd for <manet@ietfa.amsl.com>; Fri, 15 Mar 2013 10:51:12 -0700 (PDT)
Received: from mail-vb0-x22b.google.com (mail-vb0-x22b.google.com [IPv6:2607:f8b0:400c:c02::22b]) by ietfa.amsl.com (Postfix) with ESMTP id B5CAD21F84F3 for <manet@ietf.org>; Fri, 15 Mar 2013 10:51:12 -0700 (PDT)
Received: by mail-vb0-f43.google.com with SMTP id fs19so2020783vbb.16 for <manet@ietf.org>; Fri, 15 Mar 2013 10:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herberg.name; s=dkim; h=mime-version:x-received:date:message-id:subject:from:to:cc :content-type; bh=WZZKI+51e0OIkcAOHzPBzJjiPMaheFkNWYgA2yMBuHg=; b=EadsP6sIAZRRv6xwgy12dJriZ7z9BTph1WSLP6SpiL9nSZ8V8QsnWH8qGaDG7Nl1ZE 4Lm7qqSwObakLvrzGVsrQaD/ilGoqaI1v+xG2KaUEICg3OPmJdvUGnEM+HGK34XQdSDJ zaLfbnoTNLox52so0wFGmZK60LXic65E/gci4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to:cc :content-type:x-gm-message-state; bh=WZZKI+51e0OIkcAOHzPBzJjiPMaheFkNWYgA2yMBuHg=; b=KiZ/lnKel2kZ3VpvvhsQx3VLa0ks/CuUaRxom/Gw9fR6hc9b6QCH0hM4DvJFQfTbse MIBBGA631Hc7LacYfCtWXCZGIVcaa7NtLfch4fF3ImglfOX+jQSkzYLPp9rvL0ASjvFA ECzYIL1jdQom55Sk2HIZPN0eHaVisqFQM2/KspppY/AAKcGfJgzcbkmhDLT0Ak5phQbO DgKYR+KRGs1cGKv5V/ZkOxIPRguiKYL+rcizIUoZ0X/RaKTi2BagFKmQa/l6e7EdJw36 UkYtB13FsW8yGbEzAHfepZ7H6ODgsCFbNjY2l2wSMothE8dIDR5jAdaPPvG3xXQyeo/P 4PfA==
MIME-Version: 1.0
X-Received: by 10.52.163.33 with SMTP id yf1mr6511277vdb.11.1363369871744; Fri, 15 Mar 2013 10:51:11 -0700 (PDT)
Received: by 10.220.106.202 with HTTP; Fri, 15 Mar 2013 10:51:11 -0700 (PDT)
Date: Fri, 15 Mar 2013 13:51:11 -0400
Message-ID: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com>
From: Ulrich Herberg <ulrich@herberg.name>
To: manet@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQl1kESQRhM5yLoqpTmSCTRVZ1TS9Z5QavhWEpOzi4cVK54+hwcVfsslzeFoWx6aYU7x6r3l
Cc: Christopher Dearlove <chris.dearlove@baesystems.com>, Thomas Clausen <thomas@thomasclausen.org>
Subject: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 17:51:13 -0000

Dear all,

The OLSRv2 authors have had a discussion with Stephen Farrell (Security AD)
and Adrian about how to resolve the remaining security related DISCUSS
on OLSRv2, and we agreed on a way forward that involves the following
steps:

1) Publication of:
http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01

This document mandates (at least) implementation of HMAC/SHA2
integrity protection of OLSRv2 messages. Deployments of OLSRv2 should
use that mechanism unless they have a more appropriate solution (e.g.,
different cipher) for that particular deployment. This document also
updates NHDP and mandates to implement the same HMAC/SHA2 protection
for HELLO messages.

2) Publication of:
http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01

This document obsoletes RFC6622bis by fixing an oversight in RFC6622.
The differences are minor to RFC6622 and can be seen here:
http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet-rfc6622-bis
Essentially, RFC6622 does not protect the IP source address of the
interface over which the control message is sent. Since that address
is used to establish neighbors in NHDP (and therefore must be
protected), a new type extension 3 of the ICV TLV has been added to
the registry.

3) Publication of an update to OLSRv2, referencing the use of the
defined security mechanism, and resolving other smaller issues from
Stephen's DISCUSS.

In order to not hold up OLSRv2 further, and upon discussions with Stan
and Adrian, we would like to request WG adoption of these two new
documents - asking that the chairs will officially poll the WG on this
matter shortly. The documents are brief, and addresses issues
requested by the ADs, so we hope that processing them should also be a
brief affair.

Best regards
Ulrich

v2.23.0 | Report a Bug | By Email