IETF Logo Mail Archive

Re: [OSPF] Authentication/Confidentiality for OSPFv2

Acee Lindem <acee@redback.com> Tue, 25 August 2009 17:21 UTC

Return-Path: <prvs=481bf907d=acee@redback.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C8E828C4E9 for <ospf@core3.amsl.com>; Tue, 25 Aug 2009 10:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.394
X-Spam-Level:
X-Spam-Status: No, score=-2.394 tagged_above=-999 required=5 tests=[AWL=0.205, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVb273j4BseH for <ospf@core3.amsl.com>; Tue, 25 Aug 2009 10:21:17 -0700 (PDT)
Received: from mgate.redback.com (mgate.redback.com [155.53.3.41]) by core3.amsl.com (Postfix) with ESMTP id D217828C4CE for <ospf@ietf.org>; Tue, 25 Aug 2009 10:21:17 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.44,273,1249282800"; d="scan'208";a="4764229"
Received: from prattle.redback.com ([155.53.12.9]) by mgate.redback.com with ESMTP; 25 Aug 2009 10:21:24 -0700
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id 844E8A67BA; Tue, 25 Aug 2009 10:21:24 -0700 (PDT)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06348-04; Tue, 25 Aug 2009 10:21:24 -0700 (PDT)
Received: from [IPv6???1] (svilogin-1.sj.us.am.ericsson.se [155.53.154.39]) by prattle.redback.com (Postfix) with ESMTP id E99D3A67B9; Tue, 25 Aug 2009 10:21:23 -0700 (PDT)
In-Reply-To: <4A8C2F43.6010509@cisco.com>
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com> <4A8C2F43.6010509@cisco.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <19964D61-784B-4A71-BD68-9E6A1DAB3DAB@redback.com>
Content-Transfer-Encoding: 7bit
From: Acee Lindem <acee@redback.com>
Date: Tue, 25 Aug 2009 13:21:22 -0400
To: Paul Wells <pauwells@cisco.com>
X-Mailer: Apple Mail (2.753.1)
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 17:21:43 -0000

Hi Paul,

On Aug 19, 2009, at 12:58 PM, Paul Wells wrote:

> Hi Acee,
>
> Before we make this a working group document I'd like to hear what  
> real problem in OSPFv2 this proposal is addressing.
>
> With draft-ietf-ospf-hmac-sha we are upgrading the authentication  
> algorithms used by OSPFv2 to the same ones commonly used with  
> IPSec. While the optional use of AH does authenticate additional  
> bits of the IP header, I'm not sure I see a significant benefit in  
> that. On the other hand, we lose the replay protection we currently  
> have in OSPFv2.

This would not replace the existing OSPFv2 authentication. Rather, it  
would augment it.


>
> The only new capability I see is the option of encrypting the  
> protocol traffic while, presumably, leaving everything else in the  
> clear. In my opinion if you really care about confidentiality  
> you'll run everything, including OSPF, through an IPSec tunnel.

That's a valid question? What is the group feeling on this?


>
> I'd rather see the WG spend it's time improving RFC 4552 by  
> allowing for automated rekeying (at least on P2P links) rather than  
> simply copying the existing OSPFv3 spec to OSPFv2.

Much of what is going on in this space is not within the charter of  
the OSPF WG. With respect to P2P links, I've thought about defining a  
mode of operation that would relegate OSPF(v3) topologies to P2P and  
P2MP allowing the use of IKEv2 for automated rekeying. In fact, it  
was one of those ideas I meant to propose at an OSPF WG meeting but  
never got around to it.

Thanks,
Acee


>
> Regards,
> Paul
>
> Acee Lindem wrote:
>> For some time we've discussed adding IPsec support for OSPFv2  
>> analogous to what we have for OSPFv3. The draft subject draft  
>> describes how we'd build on the OSPFv3 support to support OSPFv2:
>>    http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt
>> What are the current thoughts as far as adding this as a WG document?
>> Thanks,
>> Acee
>> P.S. The formatting issues will be fixed in the next  
>> revision._______________________________________________
>> OSPF mailing list
>> OSPF@ietf.org
>> https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email