Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
Acee Lindem <acee@redback.com> Wed, 28 March 2007 16:35 UTC
Return-path: <ospf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWb7M-00059h-06; Wed, 28 Mar 2007 12:35:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWb7K-00058Y-PU for ospf@ietf.org; Wed, 28 Mar 2007 12:35:22 -0400
Received: from prattle.redback.com ([155.53.12.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWb4J-0004Mm-AS for ospf@ietf.org; Wed, 28 Mar 2007 12:32:25 -0400
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id C284DD5AA56; Wed, 28 Mar 2007 09:32:14 -0700 (PDT)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04557-01; Wed, 28 Mar 2007 09:32:14 -0700 (PDT)
Received: from [?????R?IPv6???1] (login005.redback.com [155.53.12.64]) by prattle.redback.com (Postfix) with ESMTP id 200A8D5AA51; Wed, 28 Mar 2007 09:32:13 -0700 (PDT)
In-Reply-To: <77ead0ec0703280901v605f3e40kc716ddef3772ab98@mail.gmail.com>
References: <C784E5DF-DAED-402E-9AC4-D8924E64356A@redback.com> <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com> <C85BF864-9AC3-496A-92C3-16EE7CBE83C0@redback.com> <77ead0ec0703280901v605f3e40kc716ddef3772ab98@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <461B1AAF-D2A6-4AF2-BFA8-546B785985C0@redback.com>
Content-Transfer-Encoding: 7bit
From: Acee Lindem <acee@redback.com>
Subject: Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
Date: Wed, 28 Mar 2007 12:31:33 -0400
To: Vishwas Manral <vishwas.ietf@gmail.com>
X-Mailer: Apple Mail (2.752.3)
X-Virus-Scanned: by amavisd-new at redback.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1852b4f554b02e7e4548cc7928acc1f
Cc: OSPF List <ospf@ietf.org>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org
Hi Vishwas, To quote the old adage, "You can bring a horse to water but you can't make'em drink." Maybe a document of a more general dealing with IGPs in RPSEC WG would be more appropriate. I just don't think we're ever going to agree on this document in this WG. Thanks, Acee On Mar 28, 2007, at 12:01 PM, Vishwas Manral wrote: > Hi Acee, > > Thanks for the comments. > > I agree we can get stronger authentication, but its of no use unless > we specify that in case we want security we MUST support the > algorithm. As the number of algorithms increase we need to specify a > minimal set of algorithms that need to be supported, else the > interoperability between implementations that want to support security > is not guarenteed . > > Also, as has been pointed out earlier, we have seen in IPsec RFC4305 > as well as RFC4305-bis (of which I am the author), as the computing > power increases and security algorithms become vulnerable to new > attacks, we do not have to change RFC's that talk about how to use the > algorithm. The only RFC that changes is the one that specifies the > support levels of various security algorithms. > > Though it may sound obvious, the support for NULL algorithm states > that if we need support for Security we should not use the NULL > authentication algorithm. > > These were the exact lessons learnt in the past in IPsec. I guess we > should take care not to repeat the mistakes again. > > Thanks again, > Vishwas > > On 3/28/07, Acee Lindem <acee@redback.com> wrote: >> Speaking as a WG member (so I can state my opinion without having >> to be nice >> :^): >> >> I like this option the best since it allows us to get the stronger >> authentication without having to agree on the requirements text. >> Since it >> was presented in Paris, I've never liked the text in >> draft-bhatia-manral-crypto-req-ospf-01.txt. While footnotes >> have been added to address my concerns, it might be easier not to >> try and >> agree on this at all. >> >> I don't like section 3 since, until you read the footnotes, it >> implies NULL >> and simply authentication MUST NOT be used. Null authentication is >> by far >> the easiest to administer, the most efficient, and, I'd wagger, >> the most >> widely deployed. Simple authentication can be useful in situations >> where you >> simply want to run two communities of OSPF routers on the same >> wire. It is >> also good for places where you don't want inadvertent >> participation in the >> OSPF routing domain. You many "trust" the people who have access >> to the >> physical networks running OSPF or have sufficient motivation for >> them to >> behave. >> >> With respect to MD5 authentication - this is currently widely >> deployed and >> it will take some time to be replaced. Hence, I think the whole >> draft could >> be replaced by a statement to the effect that "Users desiring >> cryptographic >> authentication may consider using algorithms x, y, or z due to the >> vulnerabilities in MD5. ....". >> >> Thanks, >> Acee >> >> >> >> >> On Mar 28, 2007, at 8:43 AM, Acee Lindem wrote: >> >> After discussions with members of the ISIS WG, there is a third >> option which >> would be to accept >> draft-bhatia-manral-white-ospf-hmac-sha-03.txt but not >> draft-bhatia-manral-crypto-req-ospf-01.txt. I'd like to >> throw that out as an >> option. >> >> Thanks, >> Acee >> >> >> >> On Mar 27, 2007, at 9:16 AM, Acee Lindem wrote: >> These drafts were presented in San Diego and seem to have >> considerable >> support. >> >> draft-bhatia-manral-crypto-req-ospf-01.txt >> draft-bhatia-manral-white-ospf-hmac-sha-03.txt >> >> Hence, we plan to make these WG documents unless there is significant >> opposition or a compelling reason not to do so. >> Thanks, >> Acee >> >> >> >> >> >> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www1.ietf.org/mailman/listinfo/ospf >> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www1.ietf.org/mailman/listinfo/ospf >> >> _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf
- [OSPF] Stronger Non-IPSec OSPFv2 Authentication Acee Lindem
- [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenticati… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Vishwas Manral
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Vishwas Manral
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Phil Cowburn
- Re: [OSPF] Stronger Non-IPSec OSPFv2 Authenticati… Acee Lindem
- FW: [OSPF] Stronger Non-IPSec OSPFv2 Authenticati… Mukesh Gupta
- [OSPF] ospfv3: next hop calculation for adjacent … Goyal, Manoj
- Re: [OSPF] ospfv3: next hop calculation for adjac… Acee Lindem
- [OSPF] Doubt for virtual link cost ? Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Anton Smirnov
- 答复: Re: [OSPF] Doubt for virtual link cost ? Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Anton Smirnov
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- RE: [OSPF] Doubt for virtual link cost ? 章魁
- Re: [OSPF] Doubt for virtual link cost ? Abhay D.S
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- RE: [OSPF] Doubt for virtual link cost ? Kui Zhang
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois
- [OSPF] issue for default route originate in NSSA Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois