IETF Logo Mail Archive

Re: [OSPF] OSPF HMAC Cryptographic Authentication

"Vishwas Manral" <vishwas.ietf@gmail.com> Sat, 22 July 2006 05:00 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G49bm-0004BL-I1; Sat, 22 Jul 2006 01:00:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G49bl-000492-5q for ospf@ietf.org; Sat, 22 Jul 2006 01:00:57 -0400
Received: from wx-out-0102.google.com ([66.249.82.199]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G49bj-0004Xv-Qg for ospf@ietf.org; Sat, 22 Jul 2006 01:00:57 -0400
Received: by wx-out-0102.google.com with SMTP id s16so555661wxc for <ospf@ietf.org>; Fri, 21 Jul 2006 22:00:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mjM14jcstnBmZXOZ5BO3zg5CHU3f5yVgZ0VifPTuDVD5QIV+5A23IN+9w0S5m0wAUxxkQ2wxjPhmKI4+4sQpLu4bQmv9qgnT2wdgEG5Q8bRz0R0XlOnCNThf0iSHRxj4SLHbQJUaBPbyJfiv9ZwRLFlIPtFT85+6LKX/mmcXWAE=
Received: by 10.70.74.1 with SMTP id w1mr2159118wxa; Fri, 21 Jul 2006 22:00:55 -0700 (PDT)
Received: by 10.70.7.7 with HTTP; Fri, 21 Jul 2006 22:00:55 -0700 (PDT)
Message-ID: <77ead0ec0607212200v75c5cc91nd9e1ad936f5f9333@mail.gmail.com>
Date: Sat, 22 Jul 2006 10:30:55 +0530
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Phil Cowburn <phil.cowburn@gmail.com>
Subject: Re: [OSPF] OSPF HMAC Cryptographic Authentication
In-Reply-To: <6e6ce9380607212051j5dbb9362q174cbf425a8b566e@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <6e6ce9380607212051j5dbb9362q174cbf425a8b566e@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ff9c467ad7f19c2a6d058acd7faaec8
Cc: ospf@ietf.org
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Hi Phil,

Thanks a lot for the comments as well as for supporting our effort.

Yes, we will note the block size units are bytes. Also we will refer
to RFC3174 for SHA-1 related references. We will also note the
modifications in C code required for the same.

The same effort is underway in IS-IS and RIP too. For IS-IS the draft
is located at:
http://www.ietf.org/internet-drafts/draft-ietf-isis-hmac-sha-00.txt
which has been approved by the working group.

Once we are done with the changes for we can look at changes required
for TCP MD5 signature options required for BGP if any.

Thanks again,
Vishwas

On 7/22/06, Phil Cowburn <phil.cowburn@gmail.com> wrote:
> Hi,
>
> In Section 5 you've mentioned the block sizes without units. I presume
> they are in bytes, but it would be good if you explicitly state this.
>
> I think it might be good to refer to RFC 3174 somewhere.
>
> Also AFAIK RFC 2104 has the C code to compute HMAC when the text input
> is fixed in length. SHA algorithms are defined in terms of variable
> number of bits. There may thus be some modifications required in HMAC
> C code for SHA. You may want to capture this somewhere.
>
> Otherwise the draft looks in good shape and has been long due. Its
> time we all moved away from using MD5 to something thats more
> stronger.
>
> Is there a similar work for TCP based protocols like LDP and BGP? Or
> other routing protocols like RIP (naah .. am not sure if we really
> need something like this for RIP) and i-ISIS (for IP)?
>
> Phil
>
> ----- Original Message ----
> From: Vishwas Manral <vishwas.ietf@gmail.com>
> To: Rohit Gupta <rohitgupta416@indiatimes.com>
> Cc: ospf@ietf.org
> Sent: Monday, 17 July, 2006 9:54:59 PM
> Subject: Re: [OSPF] OSPF HMAC Cryptographic Authentication
>
>
> Hi Rohit,
>
> The authors of the OSPF RFC have done it very intelligently. By
> allowing the KeyId field which is Opaque, the value of the KeyId
> itself defines a seperate security association(channel). IT is the
> understanding between the two ends, that a particular KeyId identifies
> a key as well as the cryptographic algorithm used.
>
> That is the reason we do not need any new fields.
>
> Thanks,
> Vishwas
>
> On 7/17/06, Rohit Gupta <rohitgupta416@indiatimes.com> wrote:
> > Hi,
> >
> > I could not see any new field added in the OSPF message. How do you then make out whether the OSPF router is using HMAC-SHA1 algorithm or the MD5 (the normal OSPF authentication algorithm)?
> >
> > Thanks,
> > Rohit
> >
> > ----- Original Message ----
> > From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
> > To: ospf@ietf.org
> > Sent: Saturday, 15 July, 2006 5:06:45 AM
> > Subject: [OSPF] OSPF HMAC Cryptographic Authentication
> >
> >
> > Hi,
> >
> > We have just posted a draft that describes a mechanism for authenticating OSPF packets by making use of HMAC algorithm in conjunction with the SHA family of cryptographic hash functions. It would be great if the WG can provide some feedback and comments on the same.
> >
> > http://www.ietf.org/internet-drafts/draft-bhatia-manral-white-ospf-hmac-sha-00.txt
> >
> > Thanks,
> > Manav
> >
> > > ----- Forwarded Message ----
> > > From: Internet-Drafts@ietf.org
> > > To: i-d-announce@ietf.org
> > > Sent: Saturday, July 15, 2006 1:20:01 AM
> > > Subject: I-D ACTION:draft-bhatia-manral-white-ospf-hmac-sha-00.txt
> > >
> > >
> > > A New Internet-Draft is available from the on-line Internet-Drafts
> > > directories.
> > >
> > >
> > >    Title        : OSPF HMAC Cryptographic Authentication
> > >    Author(s)    : M. Bhatia, et al.
> > >    Filename    : draft-bhatia-manral-white-ospf-hmac-sha-00.txt
> > >    Pages        : 10
> > >    Date        : 2006-6-14
> > >
> > >   This document describes a mechanism for authenticating OSPF packets
> > >   by making use of the HMAC algorithm in conjunction with the SHA
> > >   family of cryptographic hash functions. Because of the way the hash
> > >   functions are used in HMAC construction, the collision attacks
> > >   currently known against SHA-1 do not apply.
> > >
> > >   This will be done in addition to the already documented
> > >   authentication schemes described in the base specification.
> > >
> > >
> > > A URL for this Internet-Draft is:
> > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-white-ospf-hmac-sha-00.txt
> > >
> > > To remove yourself from the I-D Announcement list, send a message to
> > > i-d-announce-request@ietf.org with the word unsubscribe in the body of the
> > > message.
> > > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> > > to change your subscription settings.
> > >
> >
> > _______________________________________________
> > OSPF mailing list
> > OSPF@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ospf
> >
> > Sign Up for your FREE eWallet at www.wallet365.com
> >
> >
> > _______________________________________________
> > OSPF mailing list
> > OSPF@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ospf
> >
>
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www1.ietf.org/mailman/listinfo/ospf
>

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email