Questions about OSPF v3 security draft
Mike Fox <mjfox@US.IBM.COM> Fri, 11 February 2005 14:34 UTC
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA01533 for <ospf-archive@LISTS.IETF.ORG>; Fri, 11 Feb 2005 09:34:17 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <13.00F82B97@cherry.ease.lsoft.com>; Fri, 11 Feb 2005 9:34:16 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 57397618 for OSPF@PEACH.EASE.LSOFT.COM; Fri, 11 Feb 2005 09:34:15 -0500
Received: from 32.97.110.131 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Fri, 11 Feb 2005 09:34:14 -0500
Received: from d03relay05.boulder.ibm.com (d03relay05.boulder.ibm.com [9.17.195.107]) by e33.co.us.ibm.com (8.12.10/8.12.9) with ESMTP id j1BEYDiK193220 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 11 Feb 2005 09:34:13 -0500
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by d03relay05.boulder.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id j1BEYCvR244192 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 11 Feb 2005 07:34:12 -0700
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id j1BEYC4i015069 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 11 Feb 2005 07:34:12 -0700
Received: from d03nm118.boulder.ibm.com (d03nm118.boulder.ibm.com [9.17.195.144]) by d03av01.boulder.ibm.com (8.12.11/8.12.11) with ESMTP id j1BEYCkw015053 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 11 Feb 2005 07:34:12 -0700
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
X-MIMETrack: S/MIME Sign by Notes Client on Mike Fox/Raleigh/IBM(Release 6.0.2CF1|June 9, 2003) at 02/11/2005 09:38:01 AM, Serialize by Notes Client on Mike Fox/Raleigh/IBM(Release 6.0.2CF1|June 9, 2003) at 02/11/2005 09:38:01 AM, Serialize complete at 02/11/2005 09:38:01 AM, S/MIME Sign failed at 02/11/2005 09:38:01 AM: The cryptographic key was not found, Serialize by Router on D03NM118/03/M/IBM(Build V70_M4_01112005 Beta 3|January 11, 2005) at 02/11/2005 07:34:11, Serialize complete at 02/11/2005 07:34:11
Content-Type: multipart/alternative; boundary="=_alternative 0050629885256FA5_="
Message-ID: <OF9345CE25.7DE72955-ON87256FA5.004FB5B7-85256FA5.0050629B@us.ibm.com>
Date: Fri, 11 Feb 2005 07:34:08 -0700
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Mike Fox <mjfox@US.IBM.COM>
Subject: Questions about OSPF v3 security draft
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Regarding http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-07.txt, and the previous drafts, a couple of questions have come up in our shop. 1) Section 7, 2nd paragraph says "the implementations MUST use manually configured keys with same SA for inbound and outbound traffic (as shown in figure 3). I assume the "same SA" MUST rule applies to multicast traffic only and not unicast traffic. This is because an SA is defined as an SPI, security protocol (AH or ESP), and destination IP address. For unicast addresses, by definition there will be as many SAs as there are unicast destination addresses. Therefore, I don't think it is possible to apply this MUST rule given the current IPSec definition (RFC 2401 section 4.1) of an SA for unicast. Assuming the intention of the draft was to apply only to multicast and given the number of potential SAs carrying unicast traffic, it would seem that using IKE to setup the SAs dynamically would be a reasonable alternative to manual keying. 2)Section 9, 2nd paragraph discusses setting up a "secure IPSec channel dynamically once it acquires the required information". Since this traffic is unicast only, IKE could easily set up the required SAs without knowing the specific IP addresses in advance. Creating SAs dynamically do not fit easily within scope of manual SA functional capabilities. Why not use IKE for this traffic? Is this an acceptable option? Mike ----------------------------------------------------------------------- Enterprise Network Solutions ----------------------------------------------------------------------- Research Triangle Park, NC USA
- Questions about OSPF v3 security draft Mike Fox
- draft-ietf-ospf-ospfv3-auth-07.txt : Questions Erblichs
- Re: Questions about OSPF v3 security draft Vishwas Manral
- Re: Questions about OSPF v3 security draft Mike Fox
- Re: Questions about OSPF v3 security draft Vishwas Manral
- Re: Questions about OSPF v3 security draft Vishwas Manral