IETF Logo Mail Archive

Re: [OSPF] Authentication/Confidentiality for OSPFv2

Stan Ratliff <sratliff@cisco.com> Wed, 26 August 2009 14:38 UTC

Return-Path: <sratliff@cisco.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5848D3A6C0E for <ospf@core3.amsl.com>; Wed, 26 Aug 2009 07:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.191
X-Spam-Level:
X-Spam-Status: No, score=-6.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t+wvsA3G90UZ for <ospf@core3.amsl.com>; Wed, 26 Aug 2009 07:38:57 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 140E93A68ED for <ospf@ietf.org>; Wed, 26 Aug 2009 07:38:57 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAKfllEpAZnme/2dsb2JhbADAH4g5kDQFhBqBWA
X-IronPort-AV: E=Sophos;i="4.44,279,1249257600"; d="scan'208";a="55570342"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 26 Aug 2009 14:37:28 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n7QEbSiW015328; Wed, 26 Aug 2009 10:37:28 -0400
Received: from rtp-sratliff-8713.cisco.com (rtp-sratliff-8713.cisco.com [10.116.179.212]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n7QEbRDp019348; Wed, 26 Aug 2009 14:37:27 GMT
Message-Id: <C7F7AE24-F717-4837-8B77-AB8EC9BF22C8@cisco.com>
From: Stan Ratliff <sratliff@cisco.com>
To: Vishwas Manral <vishwas.ietf@gmail.com>
In-Reply-To: <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 26 Aug 2009 10:37:30 -0400
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com> <4A8C2F43.6010509@cisco.com> <19964D61-784B-4A71-BD68-9E6A1DAB3DAB@redback.com> <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3590; t=1251297448; x=1252161448; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sratliff@cisco.com; z=From:=20Stan=20Ratliff=20<sratliff@cisco.com> |Subject:=20Re=3A=20[OSPF]=20Authentication/Confidentiality =20for=20OSPFv2 |Sender:=20 |To:=20Vishwas=20Manral=20<vishwas.ietf@gmail.com>; bh=HeslYG5l5hs6jQ220/S7Y65bNyHvXh0hg9Sa2WG9M5E=; b=X6nfM08GLi3vMuZ5W6jFVaqS4XOiPhwgst17Cde4u33MBjLG1hNuxiCUpp LlbP6j+k7veOJn+rbArgvurAvZ3hkBAsF4Aw5lQ2lIqC5kPPZpUmZ3hYqFCC VtziPWocaG;
Authentication-Results: rtp-dkim-1; header.From=sratliff@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2009 14:38:58 -0000

Using IPSec is great (painful, laborious, voluminous configuration  
aside) if you have a wired network, and static partners. It isn't so  
great if you're trying to deploy an ad-hoc network, and you're not  
really sure from moment-to-moment which of your potential partner  
routers you make be needing to establish an adjacency with. So, IPSec  
doesn't really work for me.

Regards,
Stan

On Aug 25, 2009, at 1:37 PM, Vishwas Manral wrote:

> Hi Acee,
>
> Though I mostly agree with Paul. The advantage of having something at
> the IPsec level is that we do not require protocol specific extensions
> as long as IPsec meets the needs as we move forward. an example of
> this could be automatic Keying mechanism rather than manual keying.
>
> Thanks,
> Vishwas
>
> On Tue, Aug 25, 2009 at 10:21 AM, Acee Lindem<acee@redback.com> wrote:
>> Hi Paul,
>>
>> On Aug 19, 2009, at 12:58 PM, Paul Wells wrote:
>>
>>> Hi Acee,
>>>
>>> Before we make this a working group document I'd like to hear what  
>>> real
>>> problem in OSPFv2 this proposal is addressing.
>>>
>>> With draft-ietf-ospf-hmac-sha we are upgrading the authentication
>>> algorithms used by OSPFv2 to the same ones commonly used with  
>>> IPSec. While
>>> the optional use of AH does authenticate additional bits of the IP  
>>> header,
>>> I'm not sure I see a significant benefit in that. On the other  
>>> hand, we lose
>>> the replay protection we currently have in OSPFv2.
>>
>> This would not replace the existing OSPFv2 authentication. Rather,  
>> it would
>> augment it.
>>
>>
>>>
>>> The only new capability I see is the option of encrypting the  
>>> protocol
>>> traffic while, presumably, leaving everything else in the clear.  
>>> In my
>>> opinion if you really care about confidentiality you'll run  
>>> everything,
>>> including OSPF, through an IPSec tunnel.
>>
>> That's a valid question? What is the group feeling on this?
>>
>>
>>>
>>> I'd rather see the WG spend it's time improving RFC 4552 by  
>>> allowing for
>>> automated rekeying (at least on P2P links) rather than simply  
>>> copying the
>>> existing OSPFv3 spec to OSPFv2.
>>
>> Much of what is going on in this space is not within the charter of  
>> the OSPF
>> WG. With respect to P2P links, I've thought about defining a mode of
>> operation that would relegate OSPF(v3) topologies to P2P and P2MP  
>> allowing
>> the use of IKEv2 for automated rekeying. In fact, it was one of  
>> those ideas
>> I meant to propose at an OSPF WG meeting but never got around to it.
>>
>> Thanks,
>> Acee
>>
>>
>>>
>>> Regards,
>>> Paul
>>>
>>> Acee Lindem wrote:
>>>>
>>>> For some time we've discussed adding IPsec support for OSPFv2  
>>>> analogous
>>>> to what we have for OSPFv3. The draft subject draft describes how  
>>>> we'd build
>>>> on the OSPFv3 support to support OSPFv2:
>>>>   http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt
>>>> What are the current thoughts as far as adding this as a WG  
>>>> document?
>>>> Thanks,
>>>> Acee
>>>> P.S. The formatting issues will be fixed in the next
>>>> revision._______________________________________________
>>>> OSPF mailing list
>>>> OSPF@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ospf
>>
>> _______________________________________________
>> OSPF mailing list
>> OSPF@ietf.org
>> https://www.ietf.org/mailman/listinfo/ospf
>>
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email