Re: OSPF cryptographic authentication keying

Eastlake III Donald-LDE008 <Donald.Eastlake@MOTOROLA.COM> Wed, 14 August 2002 15:05 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <05F679A54DF3D51188100008C7919756D38AF4@ma07exm03.corp.isg.mot.com>
Date: Wed, 14 Aug 2002 11:07:03 -0400
Reply-To: Mailing List <OSPF@DISCUSS.MICROSOFT.COM>
Sender: Mailing List <OSPF@DISCUSS.MICROSOFT.COM>
From: Eastlake III Donald-LDE008 <Donald.Eastlake@MOTOROLA.COM>
Subject: Re: OSPF cryptographic authentication keying
To: OSPF@DISCUSS.MICROSOFT.COM
Precedence: list

Mukesh,

Yes, I was talking about OSPFv2.

Thanks for your response but, given that in today's world the shared key is
usually set up "manually", what method is most commonly used? SSH or Secure
Telnet to a Command Line Interface? SNMP? TLS to a web interface? Do routers
usually have two or three ways it can be done?

As I say, I realize this isn't strictly part of the OSPFv2 protocol but
would appreciate any information people can provide.

Thanks,
Donald


Date:    Tue, 13 Aug 2002 14:06:10 -0400
From:    Eastlake III Donald-LDE008 <Donald.Eastlake@MOTOROLA.COM>
Subject: OSPF cryptographic authentication keying

Hi,

I have a couple of questions about how keying is established for OSPF
cryptographic authentication:

First of all, which may be a stupid questions, I have the impression the
keying is essentially on a pairwise basis, rather than a key being shared
among all the entities in an area. Is that correct?

Second, how are these keys normally established in today's operational
world? I realize this is a bit outside of the scope of OSPF, but do people
use manual entry, SNMP, some negotiation framework like ISAKMP, or what?

Thanks,
Donald

Donald E. Eastlake 3rd, +1-508-851-8280 (voice), +1-508-851-8507 (fax)
Motorola, MS: M2-450, 20 Cabot Boulevard, Mansfield, MA 02048 USA

------------------------------

Date:    Tue, 13 Aug 2002 11:44:51 -0700
From:    Mukesh Gupta <mgupta@IPRG.NOKIA.COM>
Subject: Re: OSPF cryptographic authentication keying

> I have a couple of questions about how keying is established for OSPF
> cryptographic authentication:

I am assuming that you are talking about OSPFv2.

> First of all, which may be a stupid questions, I have the impression the
> keying is essentially on a pairwise basis, rather than a key being shared
> among all the entities in an area. Is that correct?

To my knowledge, No. It is not correct. The keys are shared between all the
entities in an area and they are not on a pairwise basis. Using pairwise
keys
in the multicast environment will not work.

> Second, how are these keys normally established in today's operational
> world? I realize this is a bit outside of the scope of OSPF, but do people
> use manual entry, SNMP, some negotiation framework like ISAKMP, or what?

I think, most of the implementations use manual entry. ISAKMP wouldn't be
easy
to use in the multicast environment OSPF uses. Key negotiation mechanisms
for
multicast are still being explored.

regards
Mukesh

--
******************************************************************
Work fascinates me. I can look at it for  hours !
******************************************************************
Mukesh Gupta
Phone: (650) 625-2264
Cell : (650) 868-9111
http://www.iprg.nokia.com/~mgupta
******************************************************************

OSPF cryptographic authentication keying Eastlake III Donald-LDE008
Re: OSPF cryptographic authentication keying Mukesh Gupta
Re: OSPF cryptographic authentication keying Acee Lindem
Re: OSPF cryptographic authentication keying Mukesh Gupta
Re: OSPF cryptographic authentication keying Eastlake III Donald-LDE008
Re: OSPF cryptographic authentication keying Mukesh Gupta