Re: [OSPF] [Technical Errata Reported] RFC6506 (3567)

"Marek Karasek (mkarasek)" <mkarasek@cisco.com> Mon, 01 April 2013 19:08 UTC

Return-Path: <mkarasek@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C6C11E80E6 for <ospf@ietfa.amsl.com>; Mon, 1 Apr 2013 12:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBeFEjfYnuMt for <ospf@ietfa.amsl.com>; Mon, 1 Apr 2013 12:08:37 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id C69E811E80E4 for <ospf@ietf.org>; Mon, 1 Apr 2013 12:08:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5163; q=dns/txt; s=iport; t=1364843317; x=1366052917; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=WoQWAeuvRrbaQ7UEW2h8+prMQcdLEFzTIRyuxqPMntw=; b=jcDv3SvVB8aG6HkhsGvZPNlaRdQ8Vb0tvv2yuNXXlFvBwB4A52IgfiWR ovO8G+Yr/P/zgUnl2bDgHaVObhY7EnovUy+omEmeBzs3Lia905FusvYvN 14MVyrZ99zDpN2LeGnk57biPyWIfc00pzO9CNHM9B/xWfvd9uSNnjTpz6 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAG++WVGtJXG+/2dsb2JhbAApGoM7v058FnSCHwEBAQQ6LRIMBAIBCBEEAQELDwIDCQcyFAkIAgQBDQUIiAwMMMAgjWSBHCYLBwYhAoI2YQOndoMLelMfPA
X-IronPort-AV: E=Sophos;i="4.87,387,1363132800"; d="scan'208";a="193721486"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-2.cisco.com with ESMTP; 01 Apr 2013 19:08:36 +0000
Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r31J8alR020496 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 1 Apr 2013 19:08:36 GMT
Received: from xmb-rcd-x11.cisco.com ([169.254.1.206]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0318.004; Mon, 1 Apr 2013 14:08:35 -0500
From: "Marek Karasek (mkarasek)" <mkarasek@cisco.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, "vishwas.manral@hp.com" <vishwas.manral@hp.com>, "acee.lindem@ericsson.com" <acee.lindem@ericsson.com>, "Stewart Bryant (stbryant)" <stbryant@cisco.com>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "Abhay Roy (akr)" <akr@cisco.com>, "acee.lindem@ericsson.com" <acee.lindem@ericsson.com>
Thread-Topic: [Technical Errata Reported] RFC6506 (3567)
Thread-Index: AQHOKuf5RpxnQnNRs0eE494S+KVBBJi/nkiAgAIXBDA=
Date: Mon, 01 Apr 2013 19:08:35 +0000
Message-ID: <E7523A682FBA7E498E8FAF27332266AA0F5896F1@xmb-rcd-x11.cisco.com>
References: <20130327123752.EFE2DB1E002@rfc-editor.org> <7C362EEF9C7896468B36C9B79200D8351BCAF79C88@INBANSXCHMBSA1.in.alcatel-lucent.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8351BCAF79C88@INBANSXCHMBSA1.in.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.25.117]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] [Technical Errata Reported] RFC6506 (3567)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 19:08:37 -0000

Hi Manav,

modularity argument is not against errata. If there's LLS implementation which does not know on TX that authentication is configured, it's perfectly OK to compute LLS checksum. Errata says that it will not be verified on RX, so implementations which know about authentication do not have to compute checksum.

I'm not saying that RFC6506 is wrong, but that it's forgotten that OSPFv3 has two checksums, one for standard OSPFv3 payload and second for LLS. If RFC6506 tells how to work with checksum for the first part of the packet, it's useful if it also says how to work with checksum for the second part of the packet. For me it's natural that both parts of the packet have same handling.

Thanks marek

-----Original Message-----
From: Bhatia, Manav (Manav) [mailto:manav.bhatia@alcatel-lucent.com] 
Sent: Sunday, March 31, 2013 7:25 AM
To: vishwas.manral@hp.com; acee.lindem@ericsson.com; Stewart Bryant (stbryant); adrian@olddog.co.uk; Abhay Roy (akr); acee.lindem@ericsson.com
Cc: Marek Karasek (mkarasek); ospf@ietf.org
Subject: RE: [Technical Errata Reported] RFC6506 (3567)

Hi Marek,

When constructing the LLS data block it may not always be possible for an implementation to know whether there is authentication being used on a link or not. Sure there are ways for us to figure this out but it may not be a very modular approach (really an implementation specific issue).

If you follow rfc 6506 and do as it says then you can always choose NOT to verify the LLS checksum upon reciept and still be compliant to 6506.

This way nothing changes - Your original code for LLS still computes the checksum regardless of whether OSPFv3 AT is configured or not. The AT code computes the digest of the packet including the LLS data block.

The reciever verifies the AT data block and accepts the packet if it matches with whats carried in the packet. Its now an implementation specific issue whether it wants to verify the LLS checksum or not.

Given this I don't think the errata raised is correct - more so, because this isnt really an error in the RFC. 

Even if we'd discussed this issue when we were writing this RFC we would have left it as an implementation specific behavior at the RX side based on the modularity argument.

Based on this argument I would also reject the errata 3568 that has been raised. 

Cheers, Manav

> -----Original Message-----
> From: RFC Errata System [mailto:rfc-editor@rfc-editor.org]
> Sent: Wednesday, March 27, 2013 6:08 PM
> To: Bhatia, Manav (Manav); vishwas.manral@hp.com; 
> acee.lindem@ericsson.com; stbryant@cisco.com; adrian@olddog.co.uk; 
> akr@cisco.com; acee.lindem@ericsson.com
> Cc: mkarasek@cisco.com; ospf@ietf.org; rfc-editor@rfc-editor.org
> Subject: [Technical Errata Reported] RFC6506 (3567)
> 
> The following errata report has been submitted for RFC6506, 
> "Supporting Authentication Trailer for OSPFv3".
> 
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6506&eid=3567
> 
> --------------------------------------
> Type: Technical
> Reported by: Marek Karasek <mkarasek@cisco.com>
> 
> Section: 2.2
> 
> Original Text
> -------------
>    Consistent with OSPFv2 Cryptographic Authentication 
> [RFC2328], both    OSPFv3 header checksum calculation and 
> verification are omitted when    the OSPFv3 authentication 
> mechanism described in this specification    is used. 
> 
> Corrected Text
> --------------
> OSPFv3 authentication mechanism provides capability to detect 
> corruption of OSPFv3 packet, which is under non authenticated 
> operation achieved using OSPFv3 header checksum [RFC 5340] and LLS 
> data block checksum [RFC 5613]. In spirit of OSPFv2 Cryptographic 
> Authentication [RFC2328], OSPFv3 header checksum and LLS  Data Block 
> Checksum calculation and verification are omitted when the OSPFv3 
> authentication mechanism described in this specification is used.
> 
> Notes
> -----
> RFC does not specify how to work with LLS Data Block Checksum. Errata 
> suggests omit checksum calculation/verification in the same way like 
> for OSPFv3 header checksum.
> 
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please 
> use "Reply All" to discuss whether it should be verified or rejected. 
> When a decision is reached, the verifying party (IESG) can log in to 
> change the status and edit the report, if necessary.
> 
> --------------------------------------
> RFC6506 (draft-ietf-ospf-auth-trailer-ospfv3-11)
> --------------------------------------
> Title               : Supporting Authentication Trailer for OSPFv3
> Publication Date    : February 2012
> Author(s)           : M. Bhatia, V. Manral, A. Lindem
> Category            : PROPOSED STANDARD
> Source              : Open Shortest Path First IGP
> Area                : Routing
> Stream              : IETF
> Verifying Party     : IESG
>