Re: [manet] Security documents for OLSRv2/NHDP
"Stan Ratliff (sratliff)" <sratliff@cisco.com> Sun, 17 March 2013 03:53 UTC
Return-Path: <sratliff@cisco.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351E321F84CA for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 20:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhHWdjYBXUET for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 20:53:56 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 178E721F84B1 for <manet@ietf.org>; Sat, 16 Mar 2013 20:53:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6454; q=dns/txt; s=iport; t=1363492436; x=1364702036; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=BHDsOYAz9yNiCTjmgfKVekBUQmbfYKi4Q6YCSQc7KAE=; b=fL5losZucB7nPGOf6ONKo3TM9NwlKEK9hO16++XGxwL2dv+7UWKivw0X dPdmFUE/HhpN/29FWfKyeEjmeAG9kIyZ0lodiSHx2mKwMMGre8fEANSNL WGOFWMJwgqgZ5+wzXbWeCrftAOr80w5jIhMvSNIB+eG0CW20ZQo+0qo2i w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAOw9RVGtJXHB/2dsb2JhbABDxTCBbRZ0gioBAQEDAQEBAWsLBQcEAgEIEQQBAQEKHQcnCxQJCAIEDgUIE4dnAwkGDLg3DYlbjEyBGX0CJgsHBoJZYQOTGIRlj2ODCoFzNQ
X-IronPort-AV: E=Sophos;i="4.84,858,1355097600"; d="scan'208";a="188285613"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-8.cisco.com with ESMTP; 17 Mar 2013 03:53:55 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r2H3rtsj008389 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 17 Mar 2013 03:53:55 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.02.0318.004; Sat, 16 Mar 2013 22:53:55 -0500
From: "Stan Ratliff (sratliff)" <sratliff@cisco.com>
To: Ulrich Herberg <ulrich@herberg.name>
Thread-Topic: [manet] Security documents for OLSRv2/NHDP
Thread-Index: AQHOIaWznpJD/yD5G0K5xcEOhuWrxJinkyqAgAAC/YCAAYsbgIAAHm+AgAAR3ACAAEUOgA==
Date: Sun, 17 Mar 2013 03:53:54 +0000
Message-ID: <2ED1D3801ACAAB459FDB4EAC9EAD090C10057F19@xmb-aln-x03.cisco.com>
References: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com> <CADnDZ88vE=pAYKFPne=71qN1-rhbay2QC=hD6dSYEDkTdMhgdQ@mail.gmail.com> <D621FF09-1DD5-4205-9E81-4C129075E66B@gmail.com> <CADnDZ88hLjpUtvEJvJLonq3op7xtiUdEG+FUpyvBNVH7c9muvw@mail.gmail.com> <005e01ce2297$97702bc0$c6508340$@olddog.co.uk> <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com>
In-Reply-To: <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.116.179.215]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <61D8B3265434614BA1957BC99F5126D1@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: manet <manet@ietf.org>
Subject: Re: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 03:53:57 -0000
Ulrich, Just to be clear: Since the plan is to add a normative reference to OLSRv2, it (meaning the OLSRv2 draft) will be held up, pending WG adoption/acceptance/WGLC of this new draft… (Taking my co-chair hat off, and speaking just as a WG participant): I would have preferred inserting the text directly into OLSRv2 (and NHDP if need be) instead of creating the normative reference. I think this is a tad late in the game to be doing such a thing. Regards, Stan On Mar 16, 2013, at 7:46 PM, Ulrich Herberg wrote: > AB, > > we specified a integrity and replay security protection for OLSRv2, as > requested by Stephen. We could have added that directly in OLSRv2, but > since NHDP uses the same security mechanism, that would have been a > copy of the same text. So we decided to specify the mechanism in a new > draft, which is normatively referenced by OLSRv2, e.g.: > "A conformant implementation of OLSRv2 MUST, at minimum, implement the > security mechanisms specified in [draft-herberg-manet-nhdp-olsrv2-sec] > ..." > At the same time this new draft "updates" (in the IETF sense) NHDP by > mandating to implement the security mechanism. > > The new OLSRv2 revision (as well as new revisions of the two security > drafts) will be submitted in the next few days, we are just doing > final reviews amongst the authors. > > Best regards > Ulrich > > > On Sat, Mar 16, 2013 at 6:42 PM, Adrian Farrel <adrian@olddog.co.uk> wrote: >> Yes, I believe the plan is to add more security text to the OLSRv2 draft. The >> choice of words is confusing :-) >> "Update" has a general meaning: to update a draft means to make some revisions. >> "Update" has a specific meaning: to update an RFC means to add a meta-data tag >> formally noting that one RFC updates another. >> >> Adrian >> >>> -----Original Message----- >>> From: manet-bounces@ietf.org [mailto:manet-bounces@ietf.org] On Behalf Of >>> Abdussalam Baryun >>> Sent: 16 March 2013 20:54 >>> To: manet >>> Subject: Re: [manet] Security documents for OLSRv2/NHDP >>> >>> I agreed to update of RFC6130 and have no objection of others, but >>> want to discuss/ask. >>> >>> If IESG-DISCUSS was about OLSRv2 document why the process was to >>> update RFC6130 only? and if publication 1 mandates OLSRv2 messages, >>> then IMO it needs to update OLSRv2 document as well, or do you mean >>> the publication-3 is a new version -18 that includes the security of >>> OLSRv2 messaging and refers to publication-1. >>> >>> AB >>> >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> This message is owned by the author and sent to IETF MANET address and >>> not sent to private mail-boxes. This message is an IETF input not >>> private input. >>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> >>> On 3/15/13, Christopher Dearlove <christopher.dearlove@googlemail.com> >>> wrote: >>>> OLSRv2 will reference this draft, and therefore it's not an update in the >>>> technical sense in which the term is being used here, as a formal update to >>>> RFC 6130. >>>> >>>> On 15 Mar 2013, at 21:09, Abdussalam Baryun wrote: >>>> >>>>> Hi Ulrich, >>>>> >>>>> Do I understand that publication 1 updates both RFC6130 and OLSRv2, or >>>>> do you mean only updates RFC6130, >>>>> >>>>> AB >>>>> On 3/15/13, Ulrich Herberg <ulrich@herberg.name> wrote: >>>>>> Dear all, >>>>>> >>>>>> The OLSRv2 authors have had a discussion with Stephen Farrell (Security >>>>>> AD) >>>>>> and Adrian about how to resolve the remaining security related DISCUSS >>>>>> on OLSRv2, and we agreed on a way forward that involves the following >>>>>> steps: >>>>>> >>>>>> 1) Publication of: >>>>>> http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01 >>>>>> >>>>>> This document mandates (at least) implementation of HMAC/SHA2 >>>>>> integrity protection of OLSRv2 messages. Deployments of OLSRv2 should >>>>>> use that mechanism unless they have a more appropriate solution (e.g., >>>>>> different cipher) for that particular deployment. This document also >>>>>> updates NHDP and mandates to implement the same HMAC/SHA2 >>> protection >>>>>> for HELLO messages. >>>>>> >>>>>> 2) Publication of: >>>>>> http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01 >>>>>> >>>>>> This document obsoletes RFC6622bis by fixing an oversight in RFC6622. >>>>>> The differences are minor to RFC6622 and can be seen here: >>>>>> http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet- >>> rfc6622-bis >>>>>> Essentially, RFC6622 does not protect the IP source address of the >>>>>> interface over which the control message is sent. Since that address >>>>>> is used to establish neighbors in NHDP (and therefore must be >>>>>> protected), a new type extension 3 of the ICV TLV has been added to >>>>>> the registry. >>>>>> >>>>>> 3) Publication of an update to OLSRv2, referencing the use of the >>>>>> defined security mechanism, and resolving other smaller issues from >>>>>> Stephen's DISCUSS. >>>>>> >>>>>> In order to not hold up OLSRv2 further, and upon discussions with Stan >>>>>> and Adrian, we would like to request WG adoption of these two new >>>>>> documents - asking that the chairs will officially poll the WG on this >>>>>> matter shortly. The documents are brief, and addresses issues >>>>>> requested by the ADs, so we hope that processing them should also be a >>>>>> brief affair. >>>>>> >>>>>> Best regards >>>>>> Ulrich >>>>>> _______________________________________________ >>>>>> manet mailing list >>>>>> manet@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/manet >>>>>> >>>>> _______________________________________________ >>>>> manet mailing list >>>>> manet@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/manet >>>> >>>> >>> _______________________________________________ >>> manet mailing list >>> manet@ietf.org >>> https://www.ietf.org/mailman/listinfo/manet >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet > _______________________________________________ > manet mailing list > manet@ietf.org > https://www.ietf.org/mailman/listinfo/manet
- [manet] Security documents for OLSRv2/NHDP Ulrich Herberg
- Re: [manet] Security documents for OLSRv2/NHDP Stan Ratliff (sratliff)
- Re: [manet] Security documents for OLSRv2/NHDP Abdussalam Baryun
- Re: [manet] Security documents for OLSRv2/NHDP Christopher Dearlove
- Re: [manet] Security documents for OLSRv2/NHDP Abdussalam Baryun
- Re: [manet] Security documents for OLSRv2/NHDP Adrian Farrel
- Re: [manet] Security documents for OLSRv2/NHDP Ulrich Herberg
- Re: [manet] Security documents for OLSRv2/NHDP Stan Ratliff (sratliff)
- Re: [manet] Security documents for OLSRv2/NHDP Christopher Dearlove
- Re: [manet] Security documents for OLSRv2/NHDP Dearlove, Christopher (UK)
- Re: [manet] Security documents for OLSRv2/NHDP Stan Ratliff (sratliff)
- Re: [manet] Security documents for OLSRv2/NHDP Christopher Dearlove
- Re: [manet] Security documents for OLSRv2/NHDP Ulrich Herberg
- Re: [manet] Security documents for OLSRv2/NHDP Henning Rogge
- Re: [manet] Security documents for OLSRv2/NHDP Henning Rogge
- Re: [manet] Security documents for OLSRv2/NHDP Abdussalam Baryun