IETF Logo Mail Archive

Re: [OSPF] WG Last Call for Supporting Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai

Vishwas Manral <vishwas.ietf@gmail.com> Wed, 13 April 2011 17:46 UTC

Return-Path: <vishwas.ietf@gmail.com>
X-Original-To: ospf@ietfc.amsl.com
Delivered-To: ospf@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 1DA81E0842 for <ospf@ietfc.amsl.com>; Wed, 13 Apr 2011 10:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.28
X-Spam-Level:
X-Spam-Status: No, score=-3.28 tagged_above=-999 required=5 tests=[AWL=0.318, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXPWhvWClyUc for <ospf@ietfc.amsl.com>; Wed, 13 Apr 2011 10:45:59 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfc.amsl.com (Postfix) with ESMTP id A8EABE0705 for <ospf@ietf.org>; Wed, 13 Apr 2011 10:45:58 -0700 (PDT)
Received: by pzk30 with SMTP id 30so382461pzk.31 for <ospf@ietf.org>; Wed, 13 Apr 2011 10:45:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ypSBbZqDn/6NdyQNvAbmGFven/7uqnJMd/c/U/5uGAI=; b=b9RIAryfCf/Ha9/u/dGlKz6nKcfILLFVFUoe3+25r8QtuVWN9aNEF8eiK5NjPwILrW vbdnPU77kO/Gg5DJ7lVPaIj6YT1Il93yAt963h/rLCN35LyqC/ELoTaT0rWaWGJAEUMP nHa7iUNYe7KnEPvb6jodgEZ9uuMJRm7X0Lr+M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MLHKUnlo632HxQYiMaKwQsnSOJqM2WVy6qnSXdHMb96KcZ83+FmmK0CfA3+uCrKWEL AGq/BzhpvzEsMV9pc0L8Kt4SIdy8d1OtScWdtdcKc5mfSAaxn9vP2Rgi/pVWsdaiwLHl O/lCJDg+KDz6UkRBxXfWlz9QsMfORmxL+WXMQ=
MIME-Version: 1.0
Received: by 10.142.1.12 with SMTP id 12mr7386798wfa.393.1302716757071; Wed, 13 Apr 2011 10:45:57 -0700 (PDT)
Received: by 10.68.41.163 with HTTP; Wed, 13 Apr 2011 10:45:57 -0700 (PDT)
In-Reply-To: <B4EDF6A2-CF0F-4850-864D-771ACAD2E1EC@ericsson.com>
References: <566PDLFAb2496S04.1302586047@web04.cms.usa.net> <BANLkTimM8QO9p1pRNkFTougUgbKH0b=V3Q@mail.gmail.com> <7C362EEF9C7896468B36C9B79200D8350CFD037D65@INBANSXCHMBSA1.in.alcatel-lucent.com> <47E0DC9D-E5B3-40CB-94E1-8A915D7DAE62@ericsson.com> <7C362EEF9C7896468B36C9B79200D8350CFD0DE1EF@INBANSXCHMBSA1.in.alcatel-lucent.com> <66C78CD1-77BC-4DAA-BC79-818292E0659C@ericsson.com> <7C362EEF9C7896468B36C9B79200D8350CFD0DE1F1@INBANSXCHMBSA1.in.alcatel-lucent.com> <7C4E79A4-6AC9-4797-822C-5C0963091C7A@ericsson.com> <7C362EEF9C7896468B36C9B79200D8350CFD0DE210@INBANSXCHMBSA1.in.alcatel-lucent.com> <B4EDF6A2-CF0F-4850-864D-771ACAD2E1EC@ericsson.com>
Date: Wed, 13 Apr 2011 10:45:57 -0700
Message-ID: <BANLkTinMw81MGWbne2p2BTct0+qAeUiAbA@mail.gmail.com>
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Acee Lindem <acee.lindem@ericsson.com>
Content-Type: multipart/alternative; boundary="00504502b67c8c57f404a0d0615d"
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] WG Last Call for Supporting Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2011 17:46:01 -0000

Hi Acee/ Manav,

Good to see we have nearly converged.

I see no reason to mention how to break up the 64 bit sequence number, we
should just mention the behavior desired from that sequence number.

The actual generation of the should be implementation specific. This is no
different from any other spec.

Thanks,
Vishwas
On Wed, Apr 13, 2011 at 10:40 AM, Acee Lindem <acee.lindem@ericsson.com>wrote:

> Hi Manav,
>
> On Apr 13, 2011, at 1:29 PM, Bhatia, Manav (Manav) wrote:
>
> > Ok, I give up - lets increase the sequence space to 64 bits! I seem to be
> the only one who is opposing adding something that I have myself proposed in
> some other draft! :)
> >
> > I am not very comfortable with mandating that upper 32 bits should be
> retrieved from the non volatile storage because there may be devices that
> cannot do this (i.e. may not be able to store data in nvram) and they will
> thus become non compliant to the about-to-be-RFC. How does a device that's
> wants to do AT but cant store info in nvram ever become compliant to this
> standard?
> >
> > I see two ways to deal with this:
> >
> > (1) The text on upper 32 bits should be a MAY and not a MUST, so that
> implementations that don't have nvram or don't want to implement this part
> of the spec still remain compliant to the standard.
>
> I'd vote for this option since I'd bet that devices sophisticated enough to
> run OSPFv3 deployed in places where you care about replay protection across
> cold restarts will have some form of non-volatile memory. Hence, I'd make it
> a SHOULD instead of a MUST.
>
> Thanks,
> Acee
>
>
> >
> > OR
> >
> > (2) We just increase the sequence space to 64 bits and don't say anything
> about it. We let a later RFC define how the upper 32 bits may be populated.
> >
> > Cheers, Manav
> >
> >> -----Original Message-----
> >> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
> >> Sent: Wednesday, April 13, 2011 9.48 PM
> >> To: Bhatia, Manav (Manav)
> >> Cc: ospf@ietf.org
> >> Subject: Re: [OSPF] WG Last Call for Supporting
> >> Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai
> >>
> >> Hi Manav,
> >>
> >> On Apr 13, 2011, at 12:12 PM, Bhatia, Manav (Manav) wrote:
> >>
> >>> Hi Acee,
> >>>
> >>> The reason I didn't want a 64 bit non-decreasing sequence
> >> number in AT is because we are not yet sure if that's the
> >> final approach that we will take. While it appears that this
> >> is probably the path that we will go down with eventually, I
> >> would really like to wait till this gets finalized.
> >>
> >> I believe we all accept that this is not necessarily the
> >> final solution. However, the 64 bit sequence number is better
> >> (as discussed in the E-mail thread between you, Sam, and
> >> myself) is much better than what we have with OSPFv2 today.
> >>
> >> Thanks,
> >> Acee
> >>
> >>
> >>
> >>>
> >>> In the OSPFv2 draft, its trivial to define a new Auth type
> >> for OSPFv3 which expands the sequence space to 64 bits, for
> >> folks that really want to use an expanded sequence space.
> >>>
> >>> Cheers, Manav
> >>>
> >>>> -----Original Message-----
> >>>> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
> >>>> Sent: Wednesday, April 13, 2011 9.36 PM
> >>>> To: Bhatia, Manav (Manav)
> >>>> Cc: Vishwas Manral; Michael Barnes; ospf@ietf.org
> >>>> Subject: Re: [OSPF] WG Last Call for Supporting
> >>>> Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai
> >>>>
> >>>> Hi Manav,
> >>>>
> >>>> On Apr 13, 2011, at 11:56 AM, Bhatia, Manav (Manav) wrote:
> >>>>
> >>>>> Hi Acee,
> >>>>>
> >>>>> I am ok with adding the sequence number strictly increasing
> >>>> in the AT draft. What I was opposing was to include the nonce
> >>>> or the 64 bit auth sequence space that has been proposed
> >> for OSPFv2.
> >>>>
> >>>> I agree with the nonce but I don't see why we don't use the
> >>>> 64-bit sequence number. We've changed a number of things from
> >>>> the existing OSPFv2 authentication trailer already and using
> >>>> a 64 bit non-decreasing sequence number is a relatively
> >> small change.
> >>>>
> >>>> Thanks,
> >>>> Acee
> >>>>
> >>>>
> >>>>>
> >>>>> Cheers, Manav
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
> >>>>>> Sent: Wednesday, April 13, 2011 8.32 PM
> >>>>>> To: Bhatia, Manav (Manav)
> >>>>>> Cc: Vishwas Manral; Michael Barnes; ospf@ietf.org
> >>>>>> Subject: Re: [OSPF] WG Last Call for Supporting
> >>>>>> Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai
> >>>>>>
> >>>>>> Hi Manav,
> >>>>>>
> >>>>>> OTOH, we could add the strictly increasing 64 bit sequence
> >>>>>> number to OSPFv3 Auth Trailer draft without too much trouble.
> >>>>>> Even though it might not end up to be exactly what is used
> >>>>>> for the OSPFv2 draft, it seems there is a requirement to do
> >>>>>> something better than is done today. Right now, the OSPFv2 IP
> >>>>>> layer security draft still has all the nounce stuff in it.
> >>>>>> The 64 sequence was primarily a product of the E-mail thread
> >>>>>> between you, Sam, and myself.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Acee
> >>>>>>
> >>>>>> On Apr 12, 2011, at 4:41 PM, Bhatia, Manav (Manav) wrote:
> >>>>>>
> >>>>>> Hi Vishwas,
> >>>>>>
> >>>>>> As i have explained earlier, AT is a complete solution and
> >>>>>> none of the current proposals in KARP (nonce ID, boot count,
> >>>>>> etc) will be invalidating it. AT provides the basic
> >>>>>> infrastructure over which other these will get built. The two
> >>>>>> are thus not comparable.
> >>>>>>
> >>>>>> Cheers, Manav
> >>>>>>
> >>>>>> ________________________________
> >>>>>> From: Vishwas Manral [mailto:vishwas.ietf@gmail.com]
> >>>>>> Sent: Tuesday, April 12, 2011 10.32 PM
> >>>>>> To: Michael Barnes
> >>>>>> Cc: Bhatia, Manav (Manav);
> >>>>>> curtis@occnc.com<mailto:curtis@occnc.com>; Abhay Roy;
> >>>>>> ospf@ietf.org<mailto:ospf@ietf.org>
> >>>>>> Subject: Re: [OSPF] WG Last Call for Supporting
> >>>>>> Authentication Trailer for OSPFv3 - draft-ietf-ospf-auth-trai
> >>>>>>
> >>>>>> Hi Manav/ Mike,
> >>>>>>
> >>>>>> Though it is ok to have another draft invalidate this one
> >>>>>> after some time. It would be a challenge to get
> >>>>>> implementations to change as fast (if at all).
> >>>>>>
> >>>>>> In my view if the current solution is deemed incomplete, we
> >>>>>> can correct the current solution.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Vishwas
> >>>>>> On Mon, Apr 11, 2011 at 10:27 PM, Michael Barnes
> >>>>>> <michael_barnes@usa.net<mailto:michael_barnes@usa.net>> wrote:
> >>>>>> Hello Manav,
> >>>>>>
> >>>>>> ------ Original Message ------
> >>>>>> Received: Mon, 11 Apr 2011 10:05:36 PM PDT
> >>>>>> From: "Bhatia, Manav (Manav)"
> >>>>>> <manav.bhatia@alcatel-lucent.com<mailto:manav.bhatia@alcatel-l
> >>>>>> ucent.com>>
> >>>>>> To: Michael Barnes
> >>>>>> <michael_barnes@usa.net<mailto:michael_barnes@usa.net>>,
> >>>>>> "curtis@occnc.com<mailto:curtis@occnc.com>"
> >>>>>> <curtis@occnc.com<mailto:curtis@occnc.com>>, Abhay Roy
> >>>>>> <akr@cisco.com<mailto:akr@cisco.com>>Cc:
> >>>>>> "ospf@ietf.org<mailto:ospf@ietf.org>"
> >>>>>> <ospf@ietf.org<mailto:ospf@ietf.org>>
> >>>>>> Subject: RE: [OSPF] WG Last Call for Supporting
> >>>>>> Authentication Trailer for
> >>>>>> OSPFv3 - draft-ietf-ospf-auth-trai
> >>>>>>
> >>>>>>> Hi Michael,
> >>>>>>>
> >>>>>>>>> right direction and would not have to be revisited
> >>>>>> quite as soon if
> >>>>>>>>> something more robust were proposed.
> >>>>>>>>>
> >>>>>>>>> Bottom line.  Falls short of what I'd like to see but
> >>>>>> no objection.
> >>>>>>>>>
> >>>>>>>>> Curtis
> >>>>>>>>
> >>>>>>>> I agree with Curis. I'd really like to see the first version
> >>>>>>>> of this spec at
> >>>>>>>> least have the extended sequence number as is being
> >>>>>> discussed for v2.
> >>>>>>>
> >>>>>>> I disagree that AT should have a 64 bit sequence space
> >> in the base
> >>>>>> specification primarily because we are not yet sure if the
> >>>>>> KARP boot count
> >>>>>> approach is what the WG will finally converge on (in which
> >>>>>> case we would need
> >>>>>> an extended sequence space). Also note that the AT provides
> >>>>>> an "Auth Type"
> >>>>>> field which can be assigned a new value (similar to how it
> >>>>>> will be done for
> >>>>>> OSPFv2) once we decide to move to a different scheme. The
> >>>>>> same standard that
> >>>>>> extends the OSPFv2 sequence space can also do it for OSPFv3
> >>>>>> AT block - really
> >>>>>> hardly an overhead.
> >>>>>>>
> >>>>>>> Also note that you could consider this proposal as just
> >>>>>> bringing OSPFv3 at
> >>>>>> par with OSPFv2. Once this is done, any proposal that extends
> >>>>>> OSPFv2 will
> >>>>>> natively work for OSPFv3 as well.
> >>>>>>
> >>>>>> So you are saying that this flaw is okay with you? I'd rather
> >>>>>> hold off on
> >>>>>> pushing this forward until this flaw is fixed. And I think
> >>>>>> waiting to see what
> >>>>>> happens in KARP might be a good idea.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Michael
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OSPF mailing list
> >>>>>> OSPF@ietf.org<mailto:OSPF@ietf.org>
> >>>>>> https://www.ietf.org/mailman/listinfo/ospf
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> OSPF mailing list
> >>>>>> OSPF@ietf.org<mailto:OSPF@ietf.org>
> >>>>>> https://www.ietf.org/mailman/listinfo/ospf
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf
>
>

v2.23.0 | Report a Bug | By Email