Re: [OSPF] Authentication/Confidentiality for OSPFv2
Stan Ratliff <sratliff@cisco.com> Fri, 28 August 2009 16:21 UTC
Return-Path: <sratliff@cisco.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0326D28C3F8 for <ospf@core3.amsl.com>; Fri, 28 Aug 2009 09:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjmbeMlQC1du for <ospf@core3.amsl.com>; Fri, 28 Aug 2009 09:21:24 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 680B23A6C66 for <ospf@ietf.org>; Fri, 28 Aug 2009 09:21:24 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.44,292,1249257600"; d="scan'208";a="55940846"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 28 Aug 2009 16:21:31 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n7SGLUCO019703; Fri, 28 Aug 2009 12:21:30 -0400
Received: from dhcp-64-102-54-254.cisco.com (dhcp-64-102-54-254.cisco.com [64.102.54.254]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n7SGLUCD026128; Fri, 28 Aug 2009 16:21:30 GMT
Message-Id: <751144AB-3E87-46F6-B055-4C7BF52AF944@cisco.com>
From: Stan Ratliff <sratliff@cisco.com>
To: Anton Smirnov <asmirnov@cisco.com>
In-Reply-To: <4A9673DF.7030805@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 28 Aug 2009 12:21:38 -0400
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com> <4A8C2F43.6010509@cisco.com> <19964D61-784B-4A71-BD68-9E6A1DAB3DAB@redback.com> <77ead0ec0908251037y77ca5247h900ef584e7768d28@mail.gmail.com> <C7F7AE24-F717-4837-8B77-AB8EC9BF22C8@cisco.com> <4A9673DF.7030805@cisco.com>
X-Mailer: Apple Mail (2.936)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5253; t=1251476491; x=1252340491; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=sratliff@cisco.com; z=From:=20Stan=20Ratliff=20<sratliff@cisco.com> |Subject:=20Re=3A=20[OSPF]=20Authentication/Confidentiality =20for=20OSPFv2 |Sender:=20 |To:=20Anton=20Smirnov=20<asmirnov@cisco.com>; bh=rXcwzOcOe4PrmamTZeYMUjeexkhKsuAPAq7xUbByh+w=; b=p+zDnNs6myUs60BRtgzE9xdxP7293cmwGOe6n450HznR5nw8ReO99lQwwF CUo4nEINmqjsEW9fZQhv2Tc6N9a2+41mT6hgwWOp6dGBZ1HzyN8JmlhQD8U0 VA5HpcjJDw;
Authentication-Results: rtp-dkim-2; header.From=sratliff@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2009 16:21:26 -0000
Authenticating session partners is important for mobile, ad-hoc networks. Having confidentiality and non-repudiation for control-plane traffic is extremely important as well. Deployment scenarios would be something like an ad-hoc network coming together to fight the all-too- common California wildfires. You don't want someone hacking into the network, pretending to be a routing node. The same notion applies to military networks. Regards, Stan On Aug 27, 2009, at 7:54 AM, Anton Smirnov wrote: > > Hi Stan, > I appreciate your concern that IPsec is not an option for MANET > deployments but then I can't believe OSPF traffic is the only thing > there which must be protected. Because if user traffic requires > encryption then having OSPF encrypted by its own protocol means is not > really solving any issue. In this case problem has to be addressed > lower > in hierarchy, probably devising encryption scheme on radio link level. > > So far I have never seen valid deployment scenario when routing > protocol has to have protection stronger than traffic. Without > understanding of target deployment scenario this looks like me-too > effort. > > Anton > > > > Stan Ratliff wrote: >> Using IPSec is great (painful, laborious, voluminous configuration >> aside) if you have a wired network, and static partners. It isn't so >> great if you're trying to deploy an ad-hoc network, and you're not >> really sure from moment-to-moment which of your potential partner >> routers you make be needing to establish an adjacency with. So, IPSec >> doesn't really work for me. >> >> Regards, >> Stan >> >> On Aug 25, 2009, at 1:37 PM, Vishwas Manral wrote: >> >>> Hi Acee, >>> >>> Though I mostly agree with Paul. The advantage of having something >>> at >>> the IPsec level is that we do not require protocol specific >>> extensions >>> as long as IPsec meets the needs as we move forward. an example of >>> this could be automatic Keying mechanism rather than manual keying. >>> >>> Thanks, >>> Vishwas >>> >>> On Tue, Aug 25, 2009 at 10:21 AM, Acee Lindem<acee@redback.com> >>> wrote: >>>> Hi Paul, >>>> >>>> On Aug 19, 2009, at 12:58 PM, Paul Wells wrote: >>>> >>>>> Hi Acee, >>>>> >>>>> Before we make this a working group document I'd like to hear >>>>> what real >>>>> problem in OSPFv2 this proposal is addressing. >>>>> >>>>> With draft-ietf-ospf-hmac-sha we are upgrading the authentication >>>>> algorithms used by OSPFv2 to the same ones commonly used with >>>>> IPSec. >>>>> While >>>>> the optional use of AH does authenticate additional bits of the IP >>>>> header, >>>>> I'm not sure I see a significant benefit in that. On the other >>>>> hand, >>>>> we lose >>>>> the replay protection we currently have in OSPFv2. >>>> >>>> This would not replace the existing OSPFv2 authentication. >>>> Rather, it >>>> would >>>> augment it. >>>> >>>> >>>>> >>>>> The only new capability I see is the option of encrypting the >>>>> protocol >>>>> traffic while, presumably, leaving everything else in the clear. >>>>> In my >>>>> opinion if you really care about confidentiality you'll run >>>>> everything, >>>>> including OSPF, through an IPSec tunnel. >>>> >>>> That's a valid question? What is the group feeling on this? >>>> >>>> >>>>> >>>>> I'd rather see the WG spend it's time improving RFC 4552 by >>>>> allowing >>>>> for >>>>> automated rekeying (at least on P2P links) rather than simply >>>>> copying the >>>>> existing OSPFv3 spec to OSPFv2. >>>> >>>> Much of what is going on in this space is not within the charter of >>>> the OSPF >>>> WG. With respect to P2P links, I've thought about defining a mode >>>> of >>>> operation that would relegate OSPF(v3) topologies to P2P and P2MP >>>> allowing >>>> the use of IKEv2 for automated rekeying. In fact, it was one of >>>> those >>>> ideas >>>> I meant to propose at an OSPF WG meeting but never got around to >>>> it. >>>> >>>> Thanks, >>>> Acee >>>> >>>> >>>>> >>>>> Regards, >>>>> Paul >>>>> >>>>> Acee Lindem wrote: >>>>>> >>>>>> For some time we've discussed adding IPsec support for OSPFv2 >>>>>> analogous >>>>>> to what we have for OSPFv3. The draft subject draft describes how >>>>>> we'd build >>>>>> on the OSPFv3 support to support OSPFv2: >>>>>> http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt >>>>>> What are the current thoughts as far as adding this as a WG >>>>>> document? >>>>>> Thanks, >>>>>> Acee >>>>>> P.S. The formatting issues will be fixed in the next >>>>>> revision._______________________________________________ >>>>>> OSPF mailing list >>>>>> OSPF@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>> >>>> _______________________________________________ >>>> OSPF mailing list >>>> OSPF@ietf.org >>>> https://www.ietf.org/mailman/listinfo/ospf >>>> >>> _______________________________________________ >>> OSPF mailing list >>> OSPF@ietf.org >>> https://www.ietf.org/mailman/listinfo/ospf >> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www.ietf.org/mailman/listinfo/ospf
- [OSPF] Authentication/Confidentiality for OSPFv2 Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Michael Barnes
- Re: [OSPF] Authentication/Confidentiality for OSP… Paul Wells
- Re: [OSPF] Authentication/Confidentiality for OSP… Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Vishwas Manral
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff
- Re: [OSPF] Authentication/Confidentiality for OSP… Anton Smirnov
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff