IETF Logo Mail Archive

Re: [manet] Security documents for OLSRv2/NHDP

Ulrich Herberg <ulrich@herberg.name> Sat, 16 March 2013 23:46 UTC

Return-Path: <ulrich@herberg.name>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 189C321F866F for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 16:46:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3XeiHS27HZ7 for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 16:46:46 -0700 (PDT)
Received: from mail-vb0-x22e.google.com (mail-vb0-x22e.google.com [IPv6:2607:f8b0:400c:c02::22e]) by ietfa.amsl.com (Postfix) with ESMTP id C215521F8526 for <manet@ietf.org>; Sat, 16 Mar 2013 16:46:45 -0700 (PDT)
Received: by mail-vb0-f46.google.com with SMTP id b13so2645916vby.33 for <manet@ietf.org>; Sat, 16 Mar 2013 16:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herberg.name; s=dkim; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ma8nEK0L5OeRG7mBvatgeaJTxnzBLfun9ydb9EBf5DE=; b=OPy2CbrGrx8odh+r7M6Mtcta/UWehA6tXxzN4aH0G2e0F5Z9S1OkAD6s6gRTKr0HO/ uCl7h3Bchb/D/wfvLTLnbsC2ZM17NU1Dc4Ww+KRbdEIlPQsfTnr2Dhh2BrfATZU1XEuj tmaHuynp8d159ty3u+AbdXk7MN3BVVA+uEWhg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=ma8nEK0L5OeRG7mBvatgeaJTxnzBLfun9ydb9EBf5DE=; b=IMOaqWXRP9M54b0LKeLHaLZDXfv4hFWDf10mf8PNGPkyUjAyj0iO8rJGPzRxErWFuy TnegxckLEitSTEIEJmxXIbdw4/HLqGjrOUKS3Rx4mqkofhQDmtkg08YVut5cieqcM8YU /CNkVQ5SMxJstZmTi0qY+WG+J6VefLmfn2aVbPMWpijrKRIvi4nl1ugC/71U/YC5IGpd rtCc6RiB0gr4PkIzBWXdTAV2VX0Oyf1eKfCWXAR4JwRdNutz66SjIAsY3YSBp+eNfXXE BreAzVFOzH78afcIuTOQy2vvchO1O1JSw0h+8hhi9jLQjDbE7euoIXXBXhqSUqcoWXIL xoNg==
MIME-Version: 1.0
X-Received: by 10.220.215.73 with SMTP id hd9mr13364876vcb.19.1363477604950; Sat, 16 Mar 2013 16:46:44 -0700 (PDT)
Received: by 10.220.106.202 with HTTP; Sat, 16 Mar 2013 16:46:44 -0700 (PDT)
In-Reply-To: <005e01ce2297$97702bc0$c6508340$@olddog.co.uk>
References: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com> <CADnDZ88vE=pAYKFPne=71qN1-rhbay2QC=hD6dSYEDkTdMhgdQ@mail.gmail.com> <D621FF09-1DD5-4205-9E81-4C129075E66B@gmail.com> <CADnDZ88hLjpUtvEJvJLonq3op7xtiUdEG+FUpyvBNVH7c9muvw@mail.gmail.com> <005e01ce2297$97702bc0$c6508340$@olddog.co.uk>
Date: Sat, 16 Mar 2013 19:46:44 -0400
Message-ID: <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com>
From: Ulrich Herberg <ulrich@herberg.name>
To: adrian@olddog.co.uk
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQkwcaYV58Uz1M6pXHthjCpP3SeX40YupW8yuhest8Sc0bwKfvVuF0yHcahfnxCkRhO6BgO+
Cc: manet <manet@ietf.org>
Subject: Re: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2013 23:46:47 -0000

AB,

we specified a integrity and replay security protection for OLSRv2, as
requested by Stephen. We could have added that directly in OLSRv2, but
since NHDP uses the same security mechanism, that would have been a
copy of the same text. So we decided to specify the mechanism in a new
draft, which is normatively referenced by OLSRv2, e.g.:
"A conformant implementation of OLSRv2 MUST, at minimum, implement the
security mechanisms specified in [draft-herberg-manet-nhdp-olsrv2-sec]
..."
At the same time this new draft "updates" (in the IETF sense) NHDP by
mandating to implement the security mechanism.

The new OLSRv2 revision (as well as new revisions of the two security
drafts) will be submitted in the next few days, we are just doing
final reviews amongst the authors.

Best regards
Ulrich


On Sat, Mar 16, 2013 at 6:42 PM, Adrian Farrel <adrian@olddog.co.uk> wrote:
> Yes, I believe the plan is to add more security text to the OLSRv2 draft. The
> choice of words is confusing :-)
> "Update" has a general meaning: to update a draft means to make some revisions.
> "Update" has a specific meaning: to update an RFC means to add a meta-data tag
> formally noting that one RFC updates another.
>
> Adrian
>
>> -----Original Message-----
>> From: manet-bounces@ietf.org [mailto:manet-bounces@ietf.org] On Behalf Of
>> Abdussalam Baryun
>> Sent: 16 March 2013 20:54
>> To: manet
>> Subject: Re: [manet] Security documents for OLSRv2/NHDP
>>
>> I agreed to update of RFC6130 and have no objection of others, but
>> want to discuss/ask.
>>
>> If IESG-DISCUSS was about OLSRv2 document why the process was to
>> update RFC6130 only? and if publication 1 mandates OLSRv2 messages,
>> then IMO it needs to update OLSRv2 document as well, or do you mean
>> the publication-3 is a new version -18 that includes the security of
>> OLSRv2 messaging and refers to publication-1.
>>
>> AB
>>
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> This message is owned by the author and sent to IETF MANET address and
>> not sent to private mail-boxes. This message is an IETF input not
>> private input.
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> On 3/15/13, Christopher Dearlove <christopher.dearlove@googlemail.com>
>> wrote:
>> > OLSRv2 will reference this draft, and therefore it's not an update in the
>> > technical sense in which the term is being used here, as a formal update to
>> > RFC 6130.
>> >
>> > On 15 Mar 2013, at 21:09, Abdussalam Baryun wrote:
>> >
>> >> Hi Ulrich,
>> >>
>> >> Do I understand that publication 1 updates both RFC6130 and OLSRv2, or
>> >> do you mean only updates RFC6130,
>> >>
>> >> AB
>> >> On 3/15/13, Ulrich Herberg <ulrich@herberg.name> wrote:
>> >>> Dear all,
>> >>>
>> >>> The OLSRv2 authors have had a discussion with Stephen Farrell (Security
>> >>> AD)
>> >>> and Adrian about how to resolve the remaining security related DISCUSS
>> >>> on OLSRv2, and we agreed on a way forward that involves the following
>> >>> steps:
>> >>>
>> >>> 1) Publication of:
>> >>> http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01
>> >>>
>> >>> This document mandates (at least) implementation of HMAC/SHA2
>> >>> integrity protection of OLSRv2 messages. Deployments of OLSRv2 should
>> >>> use that mechanism unless they have a more appropriate solution (e.g.,
>> >>> different cipher) for that particular deployment. This document also
>> >>> updates NHDP and mandates to implement the same HMAC/SHA2
>> protection
>> >>> for HELLO messages.
>> >>>
>> >>> 2) Publication of:
>> >>> http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01
>> >>>
>> >>> This document obsoletes RFC6622bis by fixing an oversight in RFC6622.
>> >>> The differences are minor to RFC6622 and can be seen here:
>> >>> http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet-
>> rfc6622-bis
>> >>> Essentially, RFC6622 does not protect the IP source address of the
>> >>> interface over which the control message is sent. Since that address
>> >>> is used to establish neighbors in NHDP (and therefore must be
>> >>> protected), a new type extension 3 of the ICV TLV has been added to
>> >>> the registry.
>> >>>
>> >>> 3) Publication of an update to OLSRv2, referencing the use of the
>> >>> defined security mechanism, and resolving other smaller issues from
>> >>> Stephen's DISCUSS.
>> >>>
>> >>> In order to not hold up OLSRv2 further, and upon discussions with Stan
>> >>> and Adrian, we would like to request WG adoption of these two new
>> >>> documents - asking that the chairs will officially poll the WG on this
>> >>> matter shortly. The documents are brief, and addresses issues
>> >>> requested by the ADs, so we hope that processing them should also be a
>> >>> brief affair.
>> >>>
>> >>> Best regards
>> >>> Ulrich
>> >>> _______________________________________________
>> >>> manet mailing list
>> >>> manet@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/manet
>> >>>
>> >> _______________________________________________
>> >> manet mailing list
>> >> manet@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/manet
>> >
>> >
>> _______________________________________________
>> manet mailing list
>> manet@ietf.org
>> https://www.ietf.org/mailman/listinfo/manet
>
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet

v2.23.0 | Report a Bug | By Email