IETF Logo Mail Archive

Re: [OSPF] One more RFC 6506BIS Clarification

"Mike Dubrovskiy (mdubrovs)" <mdubrovs@cisco.com> Mon, 07 October 2013 22:19 UTC

Return-Path: <mdubrovs@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ABEC21E81C9 for <ospf@ietfa.amsl.com>; Mon, 7 Oct 2013 15:19:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khWp9nZoCzSE for <ospf@ietfa.amsl.com>; Mon, 7 Oct 2013 15:19:54 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 458DD21E80C6 for <ospf@ietf.org>; Mon, 7 Oct 2013 15:19:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2542; q=dns/txt; s=iport; t=1381184394; x=1382393994; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ckaPthslpBlSncpkRAy82WZrhT2WyzuYw1nEnXwj3bU=; b=F8ZFFIpKyWMvqF1eIh0SF7Qf3CmHuqJkYn91CgOWY9J7vVzSlHv/pARt sfwqcbnHed3ZFlcD7ZuvmJ5eLrGSI0bj0SJcrcMl2kqEnYVuZLg23rFbk /w+/FGmRtFEPrMZaxD+lH3vCYSsBsStEKwZHbQKvWHa/SQ0zDC7LY/ucM U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AggFACAzU1KtJXG8/2dsb2JhbABPCoMHOFLBIYEeFnSCJQEBAQQBAQE3NBcEAgEIEQQBAQsUCQcnCxQJCAIEARIIh34MuyMEjg6BEjgGgxmBBAOqAYMkgio
X-IronPort-AV: E=Sophos;i="4.90,1051,1371081600"; d="scan'208";a="268996007"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-1.cisco.com with ESMTP; 07 Oct 2013 22:19:52 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id r97MJqhw007215 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 7 Oct 2013 22:19:52 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.219]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.004; Mon, 7 Oct 2013 17:19:52 -0500
From: "Mike Dubrovskiy (mdubrovs)" <mdubrovs@cisco.com>
To: Acee Lindem <acee@lindem.com>, OSPF List <ospf@ietf.org>
Thread-Topic: [OSPF] One more RFC 6506BIS Clarification
Thread-Index: AQHOw5tOpNjTElP0hUGWLqmcD1Z07pnpwzzw
Date: Mon, 07 Oct 2013 22:19:51 +0000
Message-ID: <534FD0D7D9E99740A077CE1A38EB79C30328E0A3@xmb-aln-x03.cisco.com>
References: <39397A08-58F0-474D-AA3F-17390CB01FEF@lindem.com>
In-Reply-To: <39397A08-58F0-474D-AA3F-17390CB01FEF@lindem.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.73.168]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OSPF] One more RFC 6506BIS Clarification
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 22:19:59 -0000

Hi Acee,

I like the change but we currently have the following text in rfc6506

   "In the event that the last key associated
   with an interface expires, it is unacceptable to revert to an
   unauthenticated condition and not advisable to disrupt routing.
   Therefore, the router SHOULD send a "last Authentication Key
   expiration" notification to the network operator and treat the key as
   having an infinite lifetime until the lifetime is extended, the key
   is deleted by the network operator, or a new key is configured."

The above text is difficult to apply to Accept keys. It should be either deleted
or modified.

Thank you,
Mike

> -----Original Message-----
> From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of
> Acee Lindem
> Sent: Monday, October 07, 2013 1:25 PM
> To: OSPF List
> Subject: [OSPF] One more RFC 6506BIS Clarification
> 
> One more thing I intend to add is explicit specification that the OSPFv3 packet
> should be dropped if the Security Association isn't found or has expired. The
> text is analogous to the original RFC 2328 Appendix D text. This will be added
> to section 4.6.
> 
> ***************
> *** 976,981 ****
> --- 976,986 ----
>      and the IPv6 header length is less than the amount necessary to
>      include an Authentication Trailer.
> 
> +    Locate the receiving interface's OSPFv3 SA using the SA ID in the
> +    received AT.  If the SA is not found, or if the SA is not valid for
> +    reception (i.e., current time < KeyStartAccept or current time >=
> +    KeyStopAccept), the OSPFv3 packet is dropped.
> +
>      If the cryptographic sequence number in the AT is less than or equal
>      to the last sequence number in the last OSPFv3 packet of the same
>      OSPFv3 type successfully received from the neighbor, the OSPFv3
> 
> Although I would hope no one would complain about this since it was always
> implied in section 3 (see excerpt below), please speak now if you have any
> concerns.
> 
>    o  Security Association Identifier (SA ID)
> 
>       This is a 16-bit unsigned integer used to uniquely identify an
>       OSPFv3 SA, as manually configured by the network operator.
> 
>       The receiver determines the active SA by looking at the SA ID
>       field in the incoming protocol packet.
> 
> 
> 
> 
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email