IETF Logo Mail Archive

Re: [manet] Security documents for OLSRv2/NHDP

"Stan Ratliff (sratliff)" <sratliff@cisco.com> Sun, 17 March 2013 03:53 UTC

Return-Path: <sratliff@cisco.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351E321F84CA for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 20:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhHWdjYBXUET for <manet@ietfa.amsl.com>; Sat, 16 Mar 2013 20:53:56 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 178E721F84B1 for <manet@ietf.org>; Sat, 16 Mar 2013 20:53:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6454; q=dns/txt; s=iport; t=1363492436; x=1364702036; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=BHDsOYAz9yNiCTjmgfKVekBUQmbfYKi4Q6YCSQc7KAE=; b=fL5losZucB7nPGOf6ONKo3TM9NwlKEK9hO16++XGxwL2dv+7UWKivw0X dPdmFUE/HhpN/29FWfKyeEjmeAG9kIyZ0lodiSHx2mKwMMGre8fEANSNL WGOFWMJwgqgZ5+wzXbWeCrftAOr80w5jIhMvSNIB+eG0CW20ZQo+0qo2i w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAOw9RVGtJXHB/2dsb2JhbABDxTCBbRZ0gioBAQEDAQEBAWsLBQcEAgEIEQQBAQEKHQcnCxQJCAIEDgUIE4dnAwkGDLg3DYlbjEyBGX0CJgsHBoJZYQOTGIRlj2ODCoFzNQ
X-IronPort-AV: E=Sophos;i="4.84,858,1355097600"; d="scan'208";a="188285613"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-8.cisco.com with ESMTP; 17 Mar 2013 03:53:55 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r2H3rtsj008389 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 17 Mar 2013 03:53:55 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.02.0318.004; Sat, 16 Mar 2013 22:53:55 -0500
From: "Stan Ratliff (sratliff)" <sratliff@cisco.com>
To: Ulrich Herberg <ulrich@herberg.name>
Thread-Topic: [manet] Security documents for OLSRv2/NHDP
Thread-Index: AQHOIaWznpJD/yD5G0K5xcEOhuWrxJinkyqAgAAC/YCAAYsbgIAAHm+AgAAR3ACAAEUOgA==
Date: Sun, 17 Mar 2013 03:53:54 +0000
Message-ID: <2ED1D3801ACAAB459FDB4EAC9EAD090C10057F19@xmb-aln-x03.cisco.com>
References: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com> <CADnDZ88vE=pAYKFPne=71qN1-rhbay2QC=hD6dSYEDkTdMhgdQ@mail.gmail.com> <D621FF09-1DD5-4205-9E81-4C129075E66B@gmail.com> <CADnDZ88hLjpUtvEJvJLonq3op7xtiUdEG+FUpyvBNVH7c9muvw@mail.gmail.com> <005e01ce2297$97702bc0$c6508340$@olddog.co.uk> <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com>
In-Reply-To: <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.116.179.215]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <61D8B3265434614BA1957BC99F5126D1@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: manet <manet@ietf.org>
Subject: Re: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 03:53:57 -0000

Ulrich, 

Just to be clear: Since the plan is to add a normative reference to OLSRv2, it (meaning the OLSRv2 draft) will be held up, pending WG adoption/acceptance/WGLC of this new draft…

(Taking my co-chair hat off, and speaking just as a WG participant): 
I would have preferred inserting the text directly into OLSRv2 (and NHDP if need be) instead of creating the normative reference. I think this is a tad late in the game to be doing such a thing. 

Regards,
Stan


On Mar 16, 2013, at 7:46 PM, Ulrich Herberg wrote:

> AB,
> 
> we specified a integrity and replay security protection for OLSRv2, as
> requested by Stephen. We could have added that directly in OLSRv2, but
> since NHDP uses the same security mechanism, that would have been a
> copy of the same text. So we decided to specify the mechanism in a new
> draft, which is normatively referenced by OLSRv2, e.g.:
> "A conformant implementation of OLSRv2 MUST, at minimum, implement the
> security mechanisms specified in [draft-herberg-manet-nhdp-olsrv2-sec]
> ..."
> At the same time this new draft "updates" (in the IETF sense) NHDP by
> mandating to implement the security mechanism.
> 
> The new OLSRv2 revision (as well as new revisions of the two security
> drafts) will be submitted in the next few days, we are just doing
> final reviews amongst the authors.
> 
> Best regards
> Ulrich
> 
> 
> On Sat, Mar 16, 2013 at 6:42 PM, Adrian Farrel <adrian@olddog.co.uk> wrote:
>> Yes, I believe the plan is to add more security text to the OLSRv2 draft. The
>> choice of words is confusing :-)
>> "Update" has a general meaning: to update a draft means to make some revisions.
>> "Update" has a specific meaning: to update an RFC means to add a meta-data tag
>> formally noting that one RFC updates another.
>> 
>> Adrian
>> 
>>> -----Original Message-----
>>> From: manet-bounces@ietf.org [mailto:manet-bounces@ietf.org] On Behalf Of
>>> Abdussalam Baryun
>>> Sent: 16 March 2013 20:54
>>> To: manet
>>> Subject: Re: [manet] Security documents for OLSRv2/NHDP
>>> 
>>> I agreed to update of RFC6130 and have no objection of others, but
>>> want to discuss/ask.
>>> 
>>> If IESG-DISCUSS was about OLSRv2 document why the process was to
>>> update RFC6130 only? and if publication 1 mandates OLSRv2 messages,
>>> then IMO it needs to update OLSRv2 document as well, or do you mean
>>> the publication-3 is a new version -18 that includes the security of
>>> OLSRv2 messaging and refers to publication-1.
>>> 
>>> AB
>>> 
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> This message is owned by the author and sent to IETF MANET address and
>>> not sent to private mail-boxes. This message is an IETF input not
>>> private input.
>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>> 
>>> On 3/15/13, Christopher Dearlove <christopher.dearlove@googlemail.com>
>>> wrote:
>>>> OLSRv2 will reference this draft, and therefore it's not an update in the
>>>> technical sense in which the term is being used here, as a formal update to
>>>> RFC 6130.
>>>> 
>>>> On 15 Mar 2013, at 21:09, Abdussalam Baryun wrote:
>>>> 
>>>>> Hi Ulrich,
>>>>> 
>>>>> Do I understand that publication 1 updates both RFC6130 and OLSRv2, or
>>>>> do you mean only updates RFC6130,
>>>>> 
>>>>> AB
>>>>> On 3/15/13, Ulrich Herberg <ulrich@herberg.name> wrote:
>>>>>> Dear all,
>>>>>> 
>>>>>> The OLSRv2 authors have had a discussion with Stephen Farrell (Security
>>>>>> AD)
>>>>>> and Adrian about how to resolve the remaining security related DISCUSS
>>>>>> on OLSRv2, and we agreed on a way forward that involves the following
>>>>>> steps:
>>>>>> 
>>>>>> 1) Publication of:
>>>>>> http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01
>>>>>> 
>>>>>> This document mandates (at least) implementation of HMAC/SHA2
>>>>>> integrity protection of OLSRv2 messages. Deployments of OLSRv2 should
>>>>>> use that mechanism unless they have a more appropriate solution (e.g.,
>>>>>> different cipher) for that particular deployment. This document also
>>>>>> updates NHDP and mandates to implement the same HMAC/SHA2
>>> protection
>>>>>> for HELLO messages.
>>>>>> 
>>>>>> 2) Publication of:
>>>>>> http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01
>>>>>> 
>>>>>> This document obsoletes RFC6622bis by fixing an oversight in RFC6622.
>>>>>> The differences are minor to RFC6622 and can be seen here:
>>>>>> http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet-
>>> rfc6622-bis
>>>>>> Essentially, RFC6622 does not protect the IP source address of the
>>>>>> interface over which the control message is sent. Since that address
>>>>>> is used to establish neighbors in NHDP (and therefore must be
>>>>>> protected), a new type extension 3 of the ICV TLV has been added to
>>>>>> the registry.
>>>>>> 
>>>>>> 3) Publication of an update to OLSRv2, referencing the use of the
>>>>>> defined security mechanism, and resolving other smaller issues from
>>>>>> Stephen's DISCUSS.
>>>>>> 
>>>>>> In order to not hold up OLSRv2 further, and upon discussions with Stan
>>>>>> and Adrian, we would like to request WG adoption of these two new
>>>>>> documents - asking that the chairs will officially poll the WG on this
>>>>>> matter shortly. The documents are brief, and addresses issues
>>>>>> requested by the ADs, so we hope that processing them should also be a
>>>>>> brief affair.
>>>>>> 
>>>>>> Best regards
>>>>>> Ulrich
>>>>>> _______________________________________________
>>>>>> manet mailing list
>>>>>> manet@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/manet
>>>>>> 
>>>>> _______________________________________________
>>>>> manet mailing list
>>>>> manet@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/manet
>>>> 
>>>> 
>>> _______________________________________________
>>> manet mailing list
>>> manet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/manet
>> 
>> _______________________________________________
>> manet mailing list
>> manet@ietf.org
>> https://www.ietf.org/mailman/listinfo/manet
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet

v2.23.0 | Report a Bug | By Email