IETF Logo Mail Archive

Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review

Mukesh Gupta <Mukesh.K.Gupta@NOKIA.COM> Thu, 30 December 2004 22:15 UTC

Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22329 for <ospf-archive@LISTS.IETF.ORG>; Thu, 30 Dec 2004 17:15:02 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <18.00F2AB73@cherry.ease.lsoft.com>; Thu, 30 Dec 2004 17:15:03 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 51316654 for OSPF@PEACH.EASE.LSOFT.COM; Thu, 30 Dec 2004 17:15:01 -0500
Received: from 131.228.20.27 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Thu, 30 Dec 2004 17:15:00 -0500
Received: from esdks003.ntc.nokia.com (esdks003.ntc.nokia.com [172.21.138.158]) by mgw-x4.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id iBUMF0K17039 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:15:00 +0200 (EET)
X-Scanned: Fri, 31 Dec 2004 00:14:27 +0200 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks003.ntc.nokia.com (8.12.9/8.12.9) id iBUMERdN032496 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:14:27 +0200
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks003.ntc.nokia.com 00CYBC0D; Fri, 31 Dec 2004 00:14:25 EET
Received: from daebh002.NOE.Nokia.com (daebh002.americas.nokia.com [10.241.35.122]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id iBUMEOU18932 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:14:24 +0200 (EET)
Received: from daebe009.NOE.Nokia.com ([10.241.35.109]) by daebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Thu, 30 Dec 2004 16:14:23 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Topic: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
thread-index: AcTuNCyZyn9vDJkgR2uoT7vU2kWhqwAhvbVQ
X-OriginalArrivalTime: 30 Dec 2004 22:14:23.0308 (UTC) FILETIME=[EAC248C0:01C4EEBC]
Message-ID: <8D260779A766FB4A9C1739A476F84FA401F79BA9@daebe009.americas.nokia.com>
Date: Thu, 30 Dec 2004 16:14:23 -0600
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Mukesh Gupta <Mukesh.K.Gupta@NOKIA.COM>
Subject: Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: quoted-printable

Vishwas,

Comments inline...

> 1. In "Rekeying Interval" You are giving examples only for 
> ESP, but it is never stated that we are talking only of 
> ESP(and not AH).

We wanted to keep the section general without making it
specific to ESP or AH.  So when we say "Null encryption with
MD5 authentication", it could be used either with ESP or
with AH.  Do we need to add more text to make it clearer?
Do you any have specific changes in mind ?

> 2.  You state 
> " DES Encryption and HMAC-MD5 Authentication will be more secure
>   because of the additional security provided by DES"
> but the draft draft-ietf-ipsec-esp-ah-algorithms-02.txt
> very clearly states that for AH/ESP we should not use DES
> (for well known reasons) "SHOULD NOT DES-CBC [RFC 2405] (3)".
> I am not sure if we want to mention DES at all.

Well, the draft does not recommend using DES either. We just
wanted to compare some non-null encryption schemes with null
encryption schemes and we chose des, 3des and AES.  The draft
mandates the usage of AES so it is inline with the other
IPsec drafts.

> 3. The section 12, is states the mandatory "encryption 
> and authentication algorithms" but does not state the key 
> size to be used for AES-CBC.

All the IPsec implementations that support AES for IPsec
MUST support 128 bit key size (RFC 3602).  So are we not
ok without mentioning the key sizes in this draft and
just referring to 3602?

> 4. On another front instead of having one draft specifying 
> both the support as well as the algorithm's used, would we 
> want a seperate draft for supported algorithms. This allows 
> us to change the supported algorithms even when the base 
> OSPFv3 for IPSec stays the same e.g. when vulnerabilities 
> are found in the algorithm or when key sizes have to be 
> made bigger. This is how it is done in the IPSec working 
> group too(where AH/ESP algorithm's have been seperated 
> from the supported algorithms).

We had taken this approach in previous revs (04, I guess)
but Security ADs (Russ) wanted to have at least one algorithm
required by this draft just to make sure that the 
implementations were interoperable.  We added AES/SHA1
as mandatory as suggested by Russ.

Regards
Mukesh

v2.23.0 | Report a Bug | By Email