Re: [OSPF] Authentication/Confidentiality for OSPFv2
Stan Ratliff <sratliff@cisco.com> Wed, 26 August 2009 14:38 UTC
Return-Path: <sratliff@cisco.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5848D3A6C0E for <ospf@core3.amsl.com>; Wed, 26 Aug 2009 07:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.191
X-Spam-Level:
X-Spam-Status: No, score=-6.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t+wvsA3G90UZ for <ospf@core3.amsl.com>; Wed, 26 Aug 2009 07:38:57 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 140E93A68ED for <ospf@ietf.org>; Wed, 26 Aug 2009 07:38:57 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAKfllEpAZnme/2dsb2JhbADAH4g5kDQFhBqBWA
X-IronPort-AV: E=Sophos;i="4.44,279,1249257600"; d="scan'208";a="55570342"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 26 Aug 2009 14:37:28 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n7QEbSiW015328; Wed, 26 Aug 2009 10:37:28 -0400
Received: from rtp-sratliff-8713.cisco.com (rtp-sratliff-8713.cisco.com [10.116.179.212]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n7QEbRDp019348; Wed, 26 Aug 2009 14:37:27 GMT
Message-Id: <C7F7AE24-F717-4837-8B77-AB8EC9BF22C8@cisco.com>
From: Stan Ratliff <sratliff@cisco.com>
To: Vishwas Manral <vishwas.ietf@gmail.com>
In-Reply-To: <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 26 Aug 2009 10:37:30 -0400
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com> <4A8C2F43.6010509@cisco.com> <19964D61-784B-4A71-BD68-9E6A1DAB3DAB@redback.com> <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3590; t=1251297448; x=1252161448; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sratliff@cisco.com; z=From:=20Stan=20Ratliff=20<sratliff@cisco.com> |Subject:=20Re=3A=20[OSPF]=20Authentication/Confidentiality =20for=20OSPFv2 |Sender:=20 |To:=20Vishwas=20Manral=20<vishwas.ietf@gmail.com>; bh=HeslYG5l5hs6jQ220/S7Y65bNyHvXh0hg9Sa2WG9M5E=; b=X6nfM08GLi3vMuZ5W6jFVaqS4XOiPhwgst17Cde4u33MBjLG1hNuxiCUpp LlbP6j+k7veOJn+rbArgvurAvZ3hkBAsF4Aw5lQ2lIqC5kPPZpUmZ3hYqFCC VtziPWocaG;
Authentication-Results: rtp-dkim-1; header.From=sratliff@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2009 14:38:58 -0000
Using IPSec is great (painful, laborious, voluminous configuration aside) if you have a wired network, and static partners. It isn't so great if you're trying to deploy an ad-hoc network, and you're not really sure from moment-to-moment which of your potential partner routers you make be needing to establish an adjacency with. So, IPSec doesn't really work for me. Regards, Stan On Aug 25, 2009, at 1:37 PM, Vishwas Manral wrote: > Hi Acee, > > Though I mostly agree with Paul. The advantage of having something at > the IPsec level is that we do not require protocol specific extensions > as long as IPsec meets the needs as we move forward. an example of > this could be automatic Keying mechanism rather than manual keying. > > Thanks, > Vishwas > > On Tue, Aug 25, 2009 at 10:21 AM, Acee Lindem<acee@redback.com> wrote: >> Hi Paul, >> >> On Aug 19, 2009, at 12:58 PM, Paul Wells wrote: >> >>> Hi Acee, >>> >>> Before we make this a working group document I'd like to hear what >>> real >>> problem in OSPFv2 this proposal is addressing. >>> >>> With draft-ietf-ospf-hmac-sha we are upgrading the authentication >>> algorithms used by OSPFv2 to the same ones commonly used with >>> IPSec. While >>> the optional use of AH does authenticate additional bits of the IP >>> header, >>> I'm not sure I see a significant benefit in that. On the other >>> hand, we lose >>> the replay protection we currently have in OSPFv2. >> >> This would not replace the existing OSPFv2 authentication. Rather, >> it would >> augment it. >> >> >>> >>> The only new capability I see is the option of encrypting the >>> protocol >>> traffic while, presumably, leaving everything else in the clear. >>> In my >>> opinion if you really care about confidentiality you'll run >>> everything, >>> including OSPF, through an IPSec tunnel. >> >> That's a valid question? What is the group feeling on this? >> >> >>> >>> I'd rather see the WG spend it's time improving RFC 4552 by >>> allowing for >>> automated rekeying (at least on P2P links) rather than simply >>> copying the >>> existing OSPFv3 spec to OSPFv2. >> >> Much of what is going on in this space is not within the charter of >> the OSPF >> WG. With respect to P2P links, I've thought about defining a mode of >> operation that would relegate OSPF(v3) topologies to P2P and P2MP >> allowing >> the use of IKEv2 for automated rekeying. In fact, it was one of >> those ideas >> I meant to propose at an OSPF WG meeting but never got around to it. >> >> Thanks, >> Acee >> >> >>> >>> Regards, >>> Paul >>> >>> Acee Lindem wrote: >>>> >>>> For some time we've discussed adding IPsec support for OSPFv2 >>>> analogous >>>> to what we have for OSPFv3. The draft subject draft describes how >>>> we'd build >>>> on the OSPFv3 support to support OSPFv2: >>>> http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt >>>> What are the current thoughts as far as adding this as a WG >>>> document? >>>> Thanks, >>>> Acee >>>> P.S. The formatting issues will be fixed in the next >>>> revision._______________________________________________ >>>> OSPF mailing list >>>> OSPF@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ospf >> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www.ietf.org/mailman/listinfo/ospf >> > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf
- [OSPF] Authentication/Confidentiality for OSPFv2 Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Michael Barnes
- Re: [OSPF] Authentication/Confidentiality for OSP… Paul Wells
- Re: [OSPF] Authentication/Confidentiality for OSP… Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Vishwas Manral
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff
- Re: [OSPF] Authentication/Confidentiality for OSP… Anton Smirnov
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff