IETF Logo Mail Archive

Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication

"Phil Cowburn" <phil.cowburn@gmail.com> Sat, 31 March 2007 10:57 UTC

Return-path: <ospf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXbHN-0000Sp-F8; Sat, 31 Mar 2007 06:57:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HXbHM-0000Qe-VZ for ospf@ietf.org; Sat, 31 Mar 2007 06:57:52 -0400
Received: from wr-out-0506.google.com ([64.233.184.229]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HXbHL-0008DK-IG for ospf@ietf.org; Sat, 31 Mar 2007 06:57:52 -0400
Received: by wr-out-0506.google.com with SMTP id 71so882989wri for <ospf@ietf.org>; Sat, 31 Mar 2007 03:57:51 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=b1galUYemnX0wJuYe4BFtNhC4ZDrSRWNBB6sOUeyIku0Yto2XGFFzLFFNya7e4GiRU9IgnErYZ/GMC4x+QrY2FdEtGzze/qLtFXTBBoLFGgV678vGCk5LpQKeke0nuislH+QeEyO1Kw60kqe0o05XymwsktGtcE5xGcPuIvbpQg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WJuQBTBKVoAwkWOs4RX9nkRux595WEBmvkuqExznNF6Gc8ovApzeXSS7nEBXy4rZ4mWqa+pEKkQKrYTK2Cjuvkh6jcAbRA0tMT4b9dTpHainPY7874HBjDL4KrQTHRojG7PoCzft2/sTCfsyXjkZgx12TYiURH1iOMju4jPLnvI=
Received: by 10.78.172.20 with SMTP id u20mr1211980hue.1175338668836; Sat, 31 Mar 2007 03:57:48 -0700 (PDT)
Received: by 10.78.182.4 with HTTP; Sat, 31 Mar 2007 03:57:48 -0700 (PDT)
Message-ID: <6e6ce9380703310357s7fa743beo973a31bd8fdcee39@mail.gmail.com>
Date: Sat, 31 Mar 2007 16:27:48 +0530
From: Phil Cowburn <phil.cowburn@gmail.com>
To: Vishwas Manral <vishwas.ietf@gmail.com>
Subject: Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
In-Reply-To: <77ead0ec0703281635i68496a72g755ee8b02b934ae5@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <C784E5DF-DAED-402E-9AC4-D8924E64356A@redback.com> <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com> <C85BF864-9AC3-496A-92C3-16EE7CBE83C0@redback.com> <77ead0ec0703280901v605f3e40kc716ddef3772ab98@mail.gmail.com> <461B1AAF-D2A6-4AF2-BFA8-546B785985C0@redback.com> <77ead0ec0703281635i68496a72g755ee8b02b934ae5@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 33cc095b503da4365ce57c727e553cf1
Cc: OSPF List <ospf@ietf.org>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Acee and Vishwas:

I find value in the spirit behind
draft-bhatia-manral-crypto-req-ospf-01.txt and would like to see it
kept alive.

There may not be a burning need for such a document today because
there arent many authentication algorithms that can be used for OSPF
currently. However, with time as those would grow, you would have to
define some minimal set of algorithms that each implementation would
have to support for the basic interop to work.

This is not a new point and has been raised earlier also in this WG.

http://www.mail-archive.com/ospf@ietf.org/msg00155.html
http://www.mail-archive.com/ospf@ietf.org/msg00156.html

Now whether this work belongs to this WG or some other (RPSEC?) is an
altogether different issue. Regardless of that, i would like to see it
progressed further.

While we're on this topic i would also like to lend my support for
draft-bhatia-manral-white-ospf-hmac-sha-03.txt to be made as a WG doc.

Phil.

On 3/29/07, Vishwas Manral <vishwas.ietf@gmail.com> wrote:
> Hi Acee,
>
> I did hear a similar requirement from Sandy and may be a few others
> too regarding this very document.
>
> If we dont hear from others here anymore we can probably look what we
> can do for the progress of the draft. Suggestions like the ones you
> have given would be helpful.
>
> Thanks,
> Vishwas
>
> On 3/28/07, Acee Lindem <acee@redback.com> wrote:
> > Hi Vishwas,
> >
> > To quote the old adage, "You can bring a horse to water but you can't
> > make'em drink."
> >
> > Maybe a document of a more general dealing with IGPs in RPSEC WG
> > would be more appropriate. I just don't think we're ever going to
> > agree on this document in this WG.
> >
> > Thanks,
> > Acee
> > On Mar 28, 2007, at 12:01 PM, Vishwas Manral wrote:
> >
> > > Hi Acee,
> > >
> > > Thanks for the comments.
> > >
> > > I agree we can get stronger authentication, but its of no use unless
> > > we specify that in case we want security we MUST support the
> > > algorithm. As the number of algorithms increase we need to specify a
> > > minimal set of algorithms that need to be supported, else the
> > > interoperability between implementations that want to support security
> > > is not guarenteed .
> > >
> > > Also, as has been pointed out earlier, we have seen in IPsec RFC4305
> > > as well as RFC4305-bis (of which I am the author), as the computing
> > > power increases and security algorithms become vulnerable to new
> > > attacks, we do not have to change RFC's that talk about how to use the
> > > algorithm. The only RFC that changes is the one that specifies the
> > > support levels of various security algorithms.
> > >
> > > Though it may sound obvious, the support for NULL algorithm states
> > > that if we need support for Security we should not use the NULL
> > > authentication algorithm.
> > >
> > > These were the exact lessons learnt in the past in IPsec. I guess we
> > > should take care not to repeat the mistakes again.
> > >
> > > Thanks again,
> > > Vishwas
> > >
> > > On 3/28/07, Acee Lindem <acee@redback.com> wrote:
> > >> Speaking as a WG member (so I can state my opinion without having
> > >> to be nice
> > >> :^):
> > >>
> > >> I like this option the best since it allows us to get the stronger
> > >> authentication without having to agree on the requirements text.
> > >> Since it
> > >> was presented in Paris, I've never liked the text in
> > >> draft-bhatia-manral-crypto-req-ospf-01.txt. While footnotes
> > >> have been added to address my concerns, it might be easier not to
> > >> try and
> > >> agree on this at all.
> > >>
> > >> I don't like section 3 since, until you read the footnotes, it
> > >> implies NULL
> > >> and simply authentication MUST NOT be used. Null authentication is
> > >> by far
> > >> the easiest to administer, the most efficient, and, I'd wagger,
> > >> the most
> > >> widely deployed. Simple authentication can be useful in situations
> > >> where you
> > >> simply want to run two communities of OSPF routers on the same
> > >> wire. It is
> > >> also good for places where you don't want inadvertent
> > >> participation in the
> > >> OSPF routing domain. You many "trust" the people who have access
> > >> to the
> > >> physical networks running OSPF or have sufficient motivation for
> > >> them to
> > >> behave.
> > >>
> > >> With respect to MD5 authentication - this is currently widely
> > >> deployed and
> > >> it will take some time to be replaced. Hence, I think the whole
> > >> draft could
> > >> be replaced by a statement to the effect that "Users desiring
> > >> cryptographic
> > >> authentication may consider using algorithms x, y, or z due to the
> > >> vulnerabilities in MD5. ....".
> > >>
> > >> Thanks,
> > >> Acee
> > >>
> > >>
> > >>
> > >>
> > >> On Mar 28, 2007, at 8:43 AM, Acee Lindem wrote:
> > >>
> > >> After discussions with members of the ISIS WG, there is a third
> > >> option which
> > >> would be to accept
> > >> draft-bhatia-manral-white-ospf-hmac-sha-03.txt but not
> > >> draft-bhatia-manral-crypto-req-ospf-01.txt. I'd like to
> > >> throw that out as an
> > >> option.
> > >>
> > >> Thanks,
> > >> Acee
> > >>
> > >>
> > >>
> > >> On Mar 27, 2007, at 9:16 AM, Acee Lindem wrote:
> > >> These drafts were presented in San Diego and seem to have
> > >> considerable
> > >> support.
> > >>
> > >> draft-bhatia-manral-crypto-req-ospf-01.txt
> > >> draft-bhatia-manral-white-ospf-hmac-sha-03.txt
> > >>
> > >> Hence, we plan to make these WG documents unless there is significant
> > >> opposition or a compelling reason not to do so.
> > >> Thanks,
> > >> Acee
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> OSPF mailing list
> > >> OSPF@ietf.org
> > >> https://www1.ietf.org/mailman/listinfo/ospf
> > >>
> > >> _______________________________________________
> > >> OSPF mailing list
> > >> OSPF@ietf.org
> > >> https://www1.ietf.org/mailman/listinfo/ospf
> > >>
> > >>
> >
> >
>
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www1.ietf.org/mailman/listinfo/ospf
>

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email