Re: [OSPF] Security Extension for OSPFv2 when using Manual Key Management - draft-bhatia-karp-ospf-ip-layer-protection-03

Curtis Villamizar <curtis@occnc.com> Tue, 12 April 2011 02:58 UTC

Return-Path: <curtis@occnc.com>
X-Original-To: ospf@ietfc.amsl.com
Delivered-To: ospf@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 538A6E06C2 for <ospf@ietfc.amsl.com>; Mon, 11 Apr 2011 19:58:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3pAGQdbesus for <ospf@ietfc.amsl.com>; Mon, 11 Apr 2011 19:58:20 -0700 (PDT)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by ietfc.amsl.com (Postfix) with ESMTP id AEFDAE06B3 for <ospf@ietf.org>; Mon, 11 Apr 2011 19:58:20 -0700 (PDT)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by harbor.orleans.occnc.com (8.13.6/8.13.6) with ESMTP id p3C2wGfH022688; Mon, 11 Apr 2011 22:58:16 -0400 (EDT) (envelope-from curtis@harbor.orleans.occnc.com)
Message-Id: <201104120258.p3C2wGfH022688@harbor.orleans.occnc.com>
To: Acee Lindem <acee.lindem@ericsson.com>
From: Curtis Villamizar <curtis@occnc.com>
In-reply-to: Your message of "Mon, 11 Apr 2011 13:18:08 EDT." <4B460FD5-4E9D-4ECF-8D7B-24137FBF9017@ericsson.com>
Date: Mon, 11 Apr 2011 22:58:16 -0400
Sender: curtis@occnc.com
Cc: OSPF WG List <ospf@ietf.org>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: [OSPF] Security Extension for OSPFv2 when using Manual Key Management - draft-bhatia-karp-ospf-ip-layer-protection-03
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: curtis@occnc.com
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2011 02:58:21 -0000

In message <4B460FD5-4E9D-4ECF-8D7B-24137FBF9017@ericsson.com>;
Acee Lindem writes:
>  
> There was general agreement that this should be a WG document at the
> meeting in Prague. Please indicate your position on making this draft
> a WG document with intended status Proposed Standard.
>  
> Thanks,
> Acee


Yes I support making this a WG item.

One improvement and something pointed out in KARP is that
public/private key pairs are often used and have advantages over
shared keys.  One thing that can be done if a public/private key pair
is used is encrypt a session key for use during a session.  Instead of
a sequence number or session ID, the key itself is exchanged.  That is
somewhat similar to the way kerberos makes use of a session key to
encrypt as little information as possible using the shared secret that
is used to get a tgt from the KDC.  This has an advantage that with a
periodic change in the session key a snooper with access to a lot of
computing resource could still have trouble breaking the session key
before it changed.

For most applications of OSPF this won't matter.  For some it might.

Curtis


And always remember - just because you are paranoid doesn't mean they
are not out to get you.  :-)