Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
Mukesh Gupta <Mukesh.K.Gupta@NOKIA.COM> Thu, 30 December 2004 22:15 UTC
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22329 for <ospf-archive@LISTS.IETF.ORG>; Thu, 30 Dec 2004 17:15:02 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <18.00F2AB73@cherry.ease.lsoft.com>; Thu, 30 Dec 2004 17:15:03 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 51316654 for OSPF@PEACH.EASE.LSOFT.COM; Thu, 30 Dec 2004 17:15:01 -0500
Received: from 131.228.20.27 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Thu, 30 Dec 2004 17:15:00 -0500
Received: from esdks003.ntc.nokia.com (esdks003.ntc.nokia.com [172.21.138.158]) by mgw-x4.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id iBUMF0K17039 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:15:00 +0200 (EET)
X-Scanned: Fri, 31 Dec 2004 00:14:27 +0200 Nokia Message Protector V1.3.34 2004121512 - RELEASE
Received: (from root@localhost) by esdks003.ntc.nokia.com (8.12.9/8.12.9) id iBUMERdN032496 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:14:27 +0200
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks003.ntc.nokia.com 00CYBC0D; Fri, 31 Dec 2004 00:14:25 EET
Received: from daebh002.NOE.Nokia.com (daebh002.americas.nokia.com [10.241.35.122]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id iBUMEOU18932 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 31 Dec 2004 00:14:24 +0200 (EET)
Received: from daebe009.NOE.Nokia.com ([10.241.35.109]) by daebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Thu, 30 Dec 2004 16:14:23 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Topic: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
thread-index: AcTuNCyZyn9vDJkgR2uoT7vU2kWhqwAhvbVQ
X-OriginalArrivalTime: 30 Dec 2004 22:14:23.0308 (UTC) FILETIME=[EAC248C0:01C4EEBC]
Message-ID: <8D260779A766FB4A9C1739A476F84FA401F79BA9@daebe009.americas.nokia.com>
Date: Thu, 30 Dec 2004 16:14:23 -0600
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Mukesh Gupta <Mukesh.K.Gupta@NOKIA.COM>
Subject: Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: quoted-printable
Vishwas, Comments inline... > 1. In "Rekeying Interval" You are giving examples only for > ESP, but it is never stated that we are talking only of > ESP(and not AH). We wanted to keep the section general without making it specific to ESP or AH. So when we say "Null encryption with MD5 authentication", it could be used either with ESP or with AH. Do we need to add more text to make it clearer? Do you any have specific changes in mind ? > 2. You state > " DES Encryption and HMAC-MD5 Authentication will be more secure > because of the additional security provided by DES" > but the draft draft-ietf-ipsec-esp-ah-algorithms-02.txt > very clearly states that for AH/ESP we should not use DES > (for well known reasons) "SHOULD NOT DES-CBC [RFC 2405] (3)". > I am not sure if we want to mention DES at all. Well, the draft does not recommend using DES either. We just wanted to compare some non-null encryption schemes with null encryption schemes and we chose des, 3des and AES. The draft mandates the usage of AES so it is inline with the other IPsec drafts. > 3. The section 12, is states the mandatory "encryption > and authentication algorithms" but does not state the key > size to be used for AES-CBC. All the IPsec implementations that support AES for IPsec MUST support 128 bit key size (RFC 3602). So are we not ok without mentioning the key sizes in this draft and just referring to 3602? > 4. On another front instead of having one draft specifying > both the support as well as the algorithm's used, would we > want a seperate draft for supported algorithms. This allows > us to change the supported algorithms even when the base > OSPFv3 for IPSec stays the same e.g. when vulnerabilities > are found in the algorithm or when key sizes have to be > made bigger. This is how it is done in the IPSec working > group too(where AH/ESP algorithm's have been seperated > from the supported algorithms). We had taken this approach in previous revs (04, I guess) but Security ADs (Russ) wanted to have at least one algorithm required by this draft just to make sure that the implementations were interoperable. We added AES/SHA1 as mandatory as suggested by Russ. Regards Mukesh
- draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG… Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Bill Fenner
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Acee Lindem
- WG Last Call on draft-ietf-ospf-ospfv3-auth-06.txt Acee Lindem
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Bill Fenner
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Suresh Melam
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Acee Lindem
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Vishwas Manral
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Erblichs
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Acee Lindem
- Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for … Mukesh Gupta