Re: [OSPF] Authentication/Confidentiality for OSPFv2
Anton Smirnov <asmirnov@cisco.com> Thu, 27 August 2009 11:58 UTC
Return-Path: <asmirnov@cisco.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E1F13A6AB7 for <ospf@core3.amsl.com>; Thu, 27 Aug 2009 04:58:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrehjLjmXiPp for <ospf@core3.amsl.com>; Thu, 27 Aug 2009 04:58:36 -0700 (PDT)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by core3.amsl.com (Postfix) with ESMTP id E20C73A6D68 for <ospf@ietf.org>; Thu, 27 Aug 2009 04:57:48 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id n7RBs7dR001015; Thu, 27 Aug 2009 13:54:07 +0200 (CEST)
Received: from [10.55.140.82] (ams-asmirnov-8711.cisco.com [10.55.140.82]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id n7RBs6HX012935; Thu, 27 Aug 2009 13:54:07 +0200 (CEST)
Message-ID: <4A9673DF.7030805@cisco.com>
Date: Thu, 27 Aug 2009 13:54:07 +0200
From: Anton Smirnov <asmirnov@cisco.com>
Organization: Cisco Systems, Inc.
User-Agent: Thunderbird 2.0.0.22 (X11/20090605)
MIME-Version: 1.0
To: Stan Ratliff <sratliff@cisco.com>
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com> <4A8C2F43.6010509@cisco.com> <19964D61-784B-4A71-BD68-9E6A1DAB3DAB@redback.com> <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com> <C7F7AE24-F717-4837-8B77-AB8EC9BF22C8@cisco.com>
In-Reply-To: <C7F7AE24-F717-4837-8B77-AB8EC9BF22C8@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2009 11:58:37 -0000
Hi Stan, I appreciate your concern that IPsec is not an option for MANET deployments but then I can't believe OSPF traffic is the only thing there which must be protected. Because if user traffic requires encryption then having OSPF encrypted by its own protocol means is not really solving any issue. In this case problem has to be addressed lower in hierarchy, probably devising encryption scheme on radio link level. So far I have never seen valid deployment scenario when routing protocol has to have protection stronger than traffic. Without understanding of target deployment scenario this looks like me-too effort. Anton Stan Ratliff wrote: > Using IPSec is great (painful, laborious, voluminous configuration > aside) if you have a wired network, and static partners. It isn't so > great if you're trying to deploy an ad-hoc network, and you're not > really sure from moment-to-moment which of your potential partner > routers you make be needing to establish an adjacency with. So, IPSec > doesn't really work for me. > > Regards, > Stan > > On Aug 25, 2009, at 1:37 PM, Vishwas Manral wrote: > >> Hi Acee, >> >> Though I mostly agree with Paul. The advantage of having something at >> the IPsec level is that we do not require protocol specific extensions >> as long as IPsec meets the needs as we move forward. an example of >> this could be automatic Keying mechanism rather than manual keying. >> >> Thanks, >> Vishwas >> >> On Tue, Aug 25, 2009 at 10:21 AM, Acee Lindem<acee@redback.com> wrote: >>> Hi Paul, >>> >>> On Aug 19, 2009, at 12:58 PM, Paul Wells wrote: >>> >>>> Hi Acee, >>>> >>>> Before we make this a working group document I'd like to hear what real >>>> problem in OSPFv2 this proposal is addressing. >>>> >>>> With draft-ietf-ospf-hmac-sha we are upgrading the authentication >>>> algorithms used by OSPFv2 to the same ones commonly used with IPSec. >>>> While >>>> the optional use of AH does authenticate additional bits of the IP >>>> header, >>>> I'm not sure I see a significant benefit in that. On the other hand, >>>> we lose >>>> the replay protection we currently have in OSPFv2. >>> >>> This would not replace the existing OSPFv2 authentication. Rather, it >>> would >>> augment it. >>> >>> >>>> >>>> The only new capability I see is the option of encrypting the protocol >>>> traffic while, presumably, leaving everything else in the clear. In my >>>> opinion if you really care about confidentiality you'll run everything, >>>> including OSPF, through an IPSec tunnel. >>> >>> That's a valid question? What is the group feeling on this? >>> >>> >>>> >>>> I'd rather see the WG spend it's time improving RFC 4552 by allowing >>>> for >>>> automated rekeying (at least on P2P links) rather than simply >>>> copying the >>>> existing OSPFv3 spec to OSPFv2. >>> >>> Much of what is going on in this space is not within the charter of >>> the OSPF >>> WG. With respect to P2P links, I've thought about defining a mode of >>> operation that would relegate OSPF(v3) topologies to P2P and P2MP >>> allowing >>> the use of IKEv2 for automated rekeying. In fact, it was one of those >>> ideas >>> I meant to propose at an OSPF WG meeting but never got around to it. >>> >>> Thanks, >>> Acee >>> >>> >>>> >>>> Regards, >>>> Paul >>>> >>>> Acee Lindem wrote: >>>>> >>>>> For some time we've discussed adding IPsec support for OSPFv2 >>>>> analogous >>>>> to what we have for OSPFv3. The draft subject draft describes how >>>>> we'd build >>>>> on the OSPFv3 support to support OSPFv2: >>>>> http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt >>>>> What are the current thoughts as far as adding this as a WG document? >>>>> Thanks, >>>>> Acee >>>>> P.S. The formatting issues will be fixed in the next >>>>> revision._______________________________________________ >>>>> OSPF mailing list >>>>> OSPF@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/ospf >>> >>> _______________________________________________ >>> OSPF mailing list >>> OSPF@ietf.org >>> https://www.ietf.org/mailman/listinfo/ospf >>> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www.ietf.org/mailman/listinfo/ospf > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf
- [OSPF] Authentication/Confidentiality for OSPFv2 Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Michael Barnes
- Re: [OSPF] Authentication/Confidentiality for OSP… Paul Wells
- Re: [OSPF] Authentication/Confidentiality for OSP… Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Vishwas Manral
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff
- Re: [OSPF] Authentication/Confidentiality for OSP… Anton Smirnov
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff