Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review

[Vishwas Manral <Vishwas@SINETT.COM>]

Hi,
 
Some more minor comments: -
 
1. In "Rekeying Interval" You are giving examples only for ESP, but it is never stated that we are talking only of ESP(and not AH).
2.  You state 
" DES Encryption and HMAC-MD5 Authentication will be more secure
   because of the additional security provided by DES"
but the draft http://www.ietf.org/internet-drafts/draft-ietf-ipsec-esp-ah-algorithms-02.txt
very clearly states that for AH/ESP we should not use DES(for well known reasons) 
      "SHOULD NOT     DES-CBC [RFC 2405] (3)". I am not sure if we want to mention DES at all.
3. The section 12, is states the mandatory "encryption and authentication algorithms" but does not state the key size to be used for AES-CBC.
4. On another front instead of having one draft specifying both the support as well as the algorithm's used, would we want a seperate draft for supported algorithms. This allows us to change the supported algorithms even when the base OSPFv3 for IPSec stays the same e.g. when vulnerabilities are found in the algorithm or when key sizes have to be made bigger. This is how it is done in the IPSec working group too(where AH/ESP algorithm's have been seperated from the supported algorithms).
 
Thanks,
Vishwas
 

--------------------------------------------------------------------------------
From: Mailing List on behalf of Vishwas Manral
Sent: Wed 12/29/2004 9:09 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review

Hi Mukesh and Suresh,
I went through the draft and think it is in pretty good shape now and seems most of my comments are taken care of. However :-
1. In the draft you state that there are know known problems of replaying DB packets. Replaying a DB packet can result in the entrie database being exchanged again which is a CPU heavy process.
2. Similar issues with LS request packets.
3.  Though we have addressed the case of specifying some default/supported values, I think we do not do that for all optional parameters. e.g. ESN etc.
4. We can have multiple SA's between two routers. When DSCP is supported should the same SA be used or should multiple SA's be used?
Thanks,
Vishwas
________________________________
From: Mailing List on behalf of Mukesh Gupta
Sent: Wed 12/29/2004 1:21 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
 
Alex/Bill,
06 version of the OSPFv3 Security draft addresses the
following comments/issues:
From IESG:
- Discuss about how much protection OSPF has for replay
  attacks without the security enabled
- Add references to 3602 and 2404
- Analyze and recommend values of rekeying interval and KeyRolloverInterval
- Spell out in the security considerations that one router can impersonate another
- Larger routing security not considered here (refer to rpsec)
  i.e., "What's left to worry about after you deploy this?"
- Refer to rpsec drafts
From authors:
- MUST requirement for hex format keys.  This will significantly
  increase the entropy of the keys.
We have addressed all the comments from IESG and we think that
this version is ready to be reviewed by IESG again.
Regards
Mukesh & Suresh