Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
Acee Lindem <acee@redback.com> Wed, 28 March 2007 15:11 UTC
Return-path: <ospf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWZoT-0005WC-H5; Wed, 28 Mar 2007 11:11:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWZoR-0005VP-Fi for ospf@ietf.org; Wed, 28 Mar 2007 11:11:47 -0400
Received: from prattle.redback.com ([155.53.12.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWZo0-0005XH-Jd for ospf@ietf.org; Wed, 28 Mar 2007 11:11:47 -0400
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id 41DFD9EB264 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:20 -0700 (PDT)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03947-08 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:20 -0700 (PDT)
Received: from [?????R?IPv6???1] (login005.redback.com [155.53.12.64]) by prattle.redback.com (Postfix) with ESMTP id 5A5889EB267 for <ospf@ietf.org>; Wed, 28 Mar 2007 08:11:19 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com>
References: <C784E5DF-DAED-402E-9AC4-D8924E64356A@redback.com> <D5E719B8-D655-4849-867D-C0C675F0F255@redback.com>
Message-Id: <C85BF864-9AC3-496A-92C3-16EE7CBE83C0@redback.com>
Cc: OSPF List <ospf@ietf.org>
From: Acee Lindem <acee@redback.com>
Subject: Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authentication
Date: Wed, 28 Mar 2007 11:10:38 -0400
X-Mailer: Apple Mail (2.752.3)
X-Virus-Scanned: by amavisd-new at redback.com
X-Spam-Score: 0.1 (/)
X-Scan-Signature: d16ce744298aacf98517bc7c108bd198
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0032164643=="
Errors-To: ospf-bounces@ietf.org
Speaking as a WG member (so I can state my opinion without having to be nice :^): I like this option the best since it allows us to get the stronger authentication without having to agree on the requirements text. Since it was presented in Paris, I've never liked the text in draft- bhatia-manral-crypto-req-ospf-01.txt. While footnotes have been added to address my concerns, it might be easier not to try and agree on this at all. I don't like section 3 since, until you read the footnotes, it implies NULL and simply authentication MUST NOT be used. Null authentication is by far the easiest to administer, the most efficient, and, I'd wagger, the most widely deployed. Simple authentication can be useful in situations where you simply want to run two communities of OSPF routers on the same wire. It is also good for places where you don't want inadvertent participation in the OSPF routing domain. You many "trust" the people who have access to the physical networks running OSPF or have sufficient motivation for them to behave. With respect to MD5 authentication - this is currently widely deployed and it will take some time to be replaced. Hence, I think the whole draft could be replaced by a statement to the effect that "Users desiring cryptographic authentication may consider using algorithms x, y, or z due to the vulnerabilities in MD5. ....". Thanks, Acee On Mar 28, 2007, at 8:43 AM, Acee Lindem wrote: > After discussions with members of the ISIS WG, there is a third > option which > would be to accept draft-bhatia-manral-white-ospf-hmac-sha-03.txt > but not > draft-bhatia-manral-crypto-req-ospf-01.txt. I'd like to throw that > out as an > option. > > Thanks, > Acee > > > On Mar 27, 2007, at 9:16 AM, Acee Lindem wrote: > >> These drafts were presented in San Diego and seem to have >> considerable support. >> >> draft-bhatia-manral-crypto-req-ospf-01.txt >> draft-bhatia-manral-white-ospf-hmac-sha-03.txt >> >> Hence, we plan to make these WG documents unless there is >> significant opposition or a compelling reason not to do so. >> Thanks, >> Acee >> >> >> >> >> > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www1.ietf.org/mailman/listinfo/ospf
_______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf
- [OSPF] Stronger Non-IPSec OSPFv2 Authentication Acee Lindem
- [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenticati… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Vishwas Manral
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Acee Lindem
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Vishwas Manral
- Re: [OSPF] Re: Stronger Non-IPSec OSPFv2 Authenti… Phil Cowburn
- Re: [OSPF] Stronger Non-IPSec OSPFv2 Authenticati… Acee Lindem
- FW: [OSPF] Stronger Non-IPSec OSPFv2 Authenticati… Mukesh Gupta
- [OSPF] ospfv3: next hop calculation for adjacent … Goyal, Manoj
- Re: [OSPF] ospfv3: next hop calculation for adjac… Acee Lindem
- [OSPF] Doubt for virtual link cost ? Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Anton Smirnov
- 答复: Re: [OSPF] Doubt for virtual link cost ? Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Anton Smirnov
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- RE: [OSPF] Doubt for virtual link cost ? 章魁
- Re: [OSPF] Doubt for virtual link cost ? Abhay D.S
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- RE: [OSPF] Doubt for virtual link cost ? Kui Zhang
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois
- Re: [OSPF] Doubt for virtual link cost ? sujay gupta
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Roch Guerin
- Re: [OSPF] Doubt for virtual link cost ? Acee Lindem
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois
- [OSPF] issue for default route originate in NSSA Jin Wang
- Re: [OSPF] Doubt for virtual link cost ? Pierre Francois