Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
"Vishwas Manral" <vishwas.ietf@gmail.com> Tue, 29 August 2006 07:51 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHyNP-00070P-K6; Tue, 29 Aug 2006 03:51:15 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHyNN-00070A-Lk for ospf@ietf.org; Tue, 29 Aug 2006 03:51:13 -0400
Received: from wx-out-0506.google.com ([66.249.82.224]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHyNM-0006GF-AX for ospf@ietf.org; Tue, 29 Aug 2006 03:51:13 -0400
Received: by wx-out-0506.google.com with SMTP id t4so2061132wxc for <ospf@ietf.org>; Tue, 29 Aug 2006 00:51:11 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IZZpI9yHunc/Iw0qcMag2SEeIc6J8+t7ljFWt6iBVYvY+Zh1MW8zX2wxUMVVWBJCGbqSbn3/m/LNLYUL1NRr+gC0Ia9+4TLsKAKNi8ftTJslplRmVzw8ZoHymgKvIIE1ERLc9fp4TgBlLy7In7df/xYWpZxxDa1Sz2V0EVDknMQ=
Received: by 10.70.100.14 with SMTP id x14mr10913241wxb; Tue, 29 Aug 2006 00:51:11 -0700 (PDT)
Received: by 10.70.33.3 with HTTP; Tue, 29 Aug 2006 00:51:11 -0700 (PDT)
Message-ID: <77ead0ec0608290051x3610bfc9t9d024711cb5ea58a@mail.gmail.com>
Date: Tue, 29 Aug 2006 13:21:11 +0530
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Erblichs <erblichs@earthlink.net>
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
In-Reply-To: <44F34E34.5CFD81A4@earthlink.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <77ead0ec0608232153j6eb2add0l42cbc084fe3c4ec3@mail.gmail.com> <001601c6c73f$4c2d44a0$9207120a@china.huawei.com> <77ead0ec0608280318p1b73e218v8bca87253ae30933@mail.gmail.com> <44F34E34.5CFD81A4@earthlink.net>
X-Spam-Score: 1.9 (+)
X-Scan-Signature: 1449ead51a2ff026dcb23465f5379250
Cc: ospf@ietf.org, paul@jakma.org, Mailing List <OSPF@peach.ease.lsoft.com>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org
Erblichs, If you read RFC4305, the implementation requirements have and must be changed. The implementation requirements are compared below: Old Old New Req. RFC(s) Requirement Algorithm (notes) --- ------ ----------- --------- MUST 2406 SHOULD NOT DES-CBC [RFC2405] (1) MUST 2402 2406 MAY HMAC-MD5-96 [RFC2403] MUST 2402 2406 MUST HMAC-SHA1-96 [RFC2404] We expect the same for all protocols utilizing the crypto algorithms. Thanks, Vishwas On 8/29/06, Erblichs <erblichs@earthlink.net> wrote: > Group, > > Sometimes a minor opinion.. > > First. Up to this point, IMO, 99%+ nbr misconfigs > could be debuged at 1 local router with review of > incoming pkts. With this "work-in-progress", > this will NO longer be the case if we overload > type 2. > > What is a 'Must' clause going to achieve? > > By default ALL implementations support MD5, simple/clear, > and NULL auth. The only high probability of a nbr > formation is to use one of these three. Yes, MD5 was > the defacto standand auth 2 algor. > > Thus, any algor that super-ceeds one of these auths, > at this time, will not guarantee interoperability. > > However, as pointed out in the draft, the highest > common auth is not highly secure, but could be used > as a fall back. Yes, the admin would see either before > or after a nbr formation attempt that a mismatch > exists, and reconfigs the routers to use the fallback. > > Thus, to support backward compatibility and to secure > against SOME attacks, IMO all configs SHOULD/MUST support > MD5. > > If this is the case, would the clause only improve the > chance that "MD5" is not removed as newer algors are > supported? > > Or is their a thought for a algor other than MD5 to > specified as the MUST algor? > > > Mitchell Erblich > ---------------- > > > > > > Vishwas Manral wrote: > > > > Sujay, > > > > I agree we can include that in the draft. The reason as well as the > > links to the draft. > > > > Thanks, > > Vishwas > > > > On 8/24/06, sujay <sujayg@huawei.com> wrote: > > > Agree, > > > While a failed authentication could be basically due to configuration issues > > > or > > > Mismatched algo's.Where 'Configuration' can be changed, but a 'not supported > > > algo' > > > may need an Image upgrade. It's my guess image upgrade may not be > > > thoroughly welcome. > > > We do need a 'Must' support algo. clause. > > > > > > Vishwas ; would it be a nice idea to add a section in the current draft, > > > talking about this issue > > > and with cross reference to the below mentioned drafts?? > > > > > > > > > Regds, > > > Sujay G > > > My Location; > > > http://maps.google.com/maps?ll=14.626109,76.959229&spn=4.724852,7.525085&t=h > > > &hl=en > > > > > > > > > This e-mail and attachments contain confidential information from HUAWEI, > > > which is intended only for the person or entity whose address is listed > > > above. Any use of the information contained herein in any way (including, > > > but not limited to, total or partial disclosure, reproduction, or > > > dissemination) by persons other than the intended recipient's) is > > > prohibited. If you receive this e-mail in error, please notify the sender by > > > phone or email immediately and delete it! > > > -----Original Message----- > > > From: Vishwas Manral [mailto:vishwas.ietf@gmail.com] > > > Sent: Thursday, August 24, 2006 10:24 AM > > > To: paul@jakma.org > > > Cc: ospf@ietf.org; Mailing List > > > Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft > > > > > > Paul, > > > > > > > There is though value in defining "MUST support" algos, otherwise poor > > > > users could be faced with having routers which all implement OSPF but > > > > can be made to interoperate unless authentication is left > > > > unconfigured. > > > We have drafts to meet the following exact requirements: > > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-ospf-00.t > > > xt > > > and > > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-isis-00.t > > > xt > > > > > > for OSPF and IS-IS respectively. > > > > > > Thanks, > > > Vishwas > > > > > > On 8/24/06, Paul Jakma <paul@clubi.ie> wrote: > > > > On Wed, 23 Aug 2006, Dave Katz wrote: > > > > > > > > > Sigh. C'mon, folks, there is no problem. > > > > > > > > > At the end of the day it doesn't matter if the value of 2 or 3 or > > > > > 42 is used; if there's a mismatch on the the algorithm ID, the > > > > > algorithm, or the key, the authentication will fail, and if it all > > > > > matches, it will work. > > > > > > > > Strongly concur. > > > > > > > > There is though value in defining "MUST support" algos, otherwise poor > > > > users could be faced with having routers which all implement OSPF but > > > > can be made to interoperate unless authentication is left > > > > unconfigured. > > > > > > > > MD5 at least should be defined as a MUST support. > > > > > > > > (Despite the pre-image weaknesses, it's still not yet completely > > > > insecure in MAC mode) > > > > > > > > regards, > > > > -- > > > > Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A > > > > > > _______________________________________________ > > > OSPF mailing list > > > OSPF@ietf.org > > > https://www1.ietf.org/mailman/listinfo/ospf > > > > > > > > > > _______________________________________________ > > OSPF mailing list > > OSPF@ietf.org > > https://www1.ietf.org/mailman/listinfo/ospf > _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf
- [OSPF] Revised OSPF HMAC SHA Authentication Draft Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Phil Cowburn
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Phil Cowburn
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… tom.petch
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Michael J Barnes
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Russ White
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Dave Katz
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Paul Jakma
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem