IETF Logo Mail Archive

Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication

Acee Lindem <acee@redback.com> Wed, 28 March 2007 15:11 UTC

Return-path: <ospf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWZoT-0005WC-H5; Wed, 28 Mar 2007 11:11:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWZoR-0005VP-Fi for ospf@ietf.org; Wed, 28 Mar 2007 11:11:47 -0400
Received: from prattle.redback.com ([155.53.12.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWZo0-0005XH-Jd for ospf@ietf.org; Wed, 28 Mar 2007 11:11:47 -0400
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id 41DFD9EB264 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:20 -0700 (PDT)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03947-08 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:20 -0700 (PDT)
Received: from [?????R?IPv6???1] (login005.redback.com [155.53.12.64]) by prattle.redback.com (Postfix) with ESMTP id 5A5889EB267 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:19 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com>
References: <C784E5DF-DAED-402E-9AC4-D8924E64356A@redback.com> <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com>
Message-Id: <C85BF864-9AC3-496A-92C3-16EE7CBE83C0@redback.com>
Cc: OSPF List <ospf@ietf.org>
From: Acee Lindem <acee@redback.com>
Subject: Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
Date: Wed, 28 Mar 2007 11:10:38 -0400
X-Mailer: Apple Mail (2.752.3)
X-Virus-Scanned: by amavisd-new at redback.com
X-Spam-Score: 0.1 (/)
X-Scan-Signature: d16ce744298aacf98517bc7c108bd198
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0032164643=="
Errors-To: ospf-bounces@ietf.org

Speaking as a WG member (so I can state my opinion without having to  
be nice :^):

I like this option the best since it allows us to get the stronger  
authentication without having to agree on the requirements text.  
Since it was presented in Paris, I've never liked the text in draft- 
bhatia-manral-crypto-req-ospf-01.txt. While footnotes have been added  
to address my concerns, it might be easier not to try and agree on  
this at all.

I don't like section 3 since, until you read the footnotes, it  
implies NULL and simply authentication MUST NOT be used. Null  
authentication is by far the easiest to administer, the most  
efficient, and, I'd wagger, the most widely deployed. Simple  
authentication can be useful in situations where you simply want to  
run two communities of OSPF routers on the same wire. It is also good  
for places where you don't want inadvertent participation in the OSPF  
routing domain. You many "trust" the people who have access to the  
physical networks running OSPF or have sufficient motivation for them  
to behave.

With respect to MD5 authentication - this is currently widely  
deployed and it will take some time to be replaced. Hence, I think  
the whole draft could be replaced by a statement to the effect that  
"Users desiring cryptographic authentication may consider using  
algorithms x, y, or z due to the vulnerabilities in MD5. ....".

Thanks,
Acee



On Mar 28, 2007, at 8:43 AM, Acee Lindem wrote:

> After discussions with members of the ISIS WG, there is a third  
> option which
> would be to accept draft-bhatia-manral-white-ospf-hmac-sha-03.txt  
> but not
> draft-bhatia-manral-crypto-req-ospf-01.txt. I'd like to throw that  
> out as an
> option.
>
> Thanks,
> Acee
>
>
> On Mar 27, 2007, at 9:16 AM, Acee Lindem wrote:
>
>> These drafts were presented in San Diego and seem to have  
>> considerable support.
>>
>> draft-bhatia-manral-crypto-req-ospf-01.txt
>> draft-bhatia-manral-white-ospf-hmac-sha-03.txt
>>
>> Hence, we plan to make these WG documents unless there is  
>> significant opposition or a compelling reason not to do so.
>> Thanks,
>> Acee
>>
>>
>>
>>
>>
>
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www1.ietf.org/mailman/listinfo/ospf


_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email