IETF Logo Mail Archive

Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft

Acee Lindem <acee@cisco.com> Tue, 22 August 2006 19:44 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFcB0-0001Ds-I5; Tue, 22 Aug 2006 15:44:42 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFcAz-0001Dn-Kd for ospf@ietf.org; Tue, 22 Aug 2006 15:44:41 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GFcAx-00057b-9I for ospf@ietf.org; Tue, 22 Aug 2006 15:44:41 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-5.cisco.com with ESMTP; 22 Aug 2006 12:44:39 -0700
X-IronPort-AV: i="4.08,156,1154934000"; d="scan'208"; a="312752086:sNHT32244344"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k7MJicmF015772; Tue, 22 Aug 2006 12:44:38 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k7MJib6a023854; Tue, 22 Aug 2006 12:44:38 -0700 (PDT)
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 Aug 2006 15:44:36 -0400
Received: from [10.82.225.19] ([10.82.225.19]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 22 Aug 2006 15:44:36 -0400
Message-ID: <44EB5EA3.2030102@cisco.com>
Date: Tue, 22 Aug 2006 15:44:35 -0400
From: Acee Lindem <acee@cisco.com>
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: Tom Sanders <toms.sanders@gmail.com>
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
References: <6ed23a860608210420h19486857i748aa01cf65a91c9@mail.gmail.com> <20060821142220.63912.qmail@web25406.mail.ukl.yahoo.com> <6ed23a860608210951m6104514fw16ba3215e45df7eb@mail.gmail.com>
In-Reply-To: <6ed23a860608210951m6104514fw16ba3215e45df7eb@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 22 Aug 2006 19:44:36.0415 (UTC) FILETIME=[66013CF0:01C6C623]
DKIM-Signature: a=rsa-sha1; q=dns; l=2282; t=1156275878; x=1157139878; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=acee@cisco.com; z=From:Acee=20Lindem=20<acee@cisco.com> |Subject:Re=3A=20[OSPF]=20Revised=20OSPF=20HMAC=20SHA=20Authentication=20Draft; X=v=3Dcisco.com=3B=20h=3D43KKY7RDE6Tb7dPHIa/escbtBpk=3D; b=TUPyQFZ2E0zOK1NGQTiyaQLRoyCeeUGQ+jy/00Bd+afLD9eAQoVOYRPNpxRq//608ak1tbYy k+mRe7UYpebEj2G3bC9K50pt0c3EPGIzsYwhbl6IWCreaEhik2VpKMpz;
Authentication-Results: sj-dkim-8.cisco.com; header.From=acee@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da
Cc: ospf@ietf.org
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Tom Sanders wrote:
> Manav,
>
>> We dont need to use a new auth type value for each new authentication 
>> scheme > that comes up in the future.
>>
>> One can define a new generic auth type 3, which would carry the 
>> authentication > algorithm details in addition to the Key ID, auth 
>> data length and the crypto
>> sequence number. The authentication data for type auth type 3 would 
>> be the
>> same as type 2, except that the reserved bytes would get replaced 
>> with the
>> authentication algorithm ID.
>
> Excellent, this is much better than our initial guess.
>
> Actually one octet is enough for carrying the Algo ID. You are still
> left with one reserved octet. Go Play!
>
>>
>> However, i dont think this is required.
>
> Well, thats something that the WG, and not you and me, have to decide! :)
Hi Tom,

I'd also vote against this since the standardized definition of 
cryptographic
authentication (AuType = 2) was designed to accommodate different hash
algorithms. Based on the discussion heretofore, it seems that its definition
satisfies this requirement. Additionally, I don't see any compatibility 
problems
with implementations unequivocally map AuType 2 to MD5 authentication.
As one would expect, authentication will fail (at least with a very high
probability :^) if there is a mismatch between configured hash algorithms.

Thanks,
Acee

>
>>
>> Cheers,
>> Manav
>>
>> >> On 20/08/06, Phil Cowburn <phil.cowburn@gmail.com> wrote:
>> >>
>> >> I strongly agree with Manav here and an implementation must be 
>> able to
>> >> demultiplex using the Key ID in the incoming packet. It is afterall
>> >> for this very reason that we put the Key ID in the packet.
>> >>
>> >> Erblichs point, as i read it is, that most implementations (if not
>> >> all) currently take type 2 to mean MD5. This may break once this 
>> draft
>> >> becomes a standard, which it would, in some time.
>> >>
>> >> My take on this is that even if the WG agrees to Erblichs solution 
>> and
>> >> introduces a new type, say 3 for HMAC-SHA-1 authentication, then
>> >> somebody else could repeat the same argument and clamour for a new
>> >> type when we're introducing newer authentication algorithms in the
>> >> future.
>> >>
>>
>

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email