IETF Logo Mail Archive

RE: [OSPF] Revised OSPF HMAC SHA Authentication Draft

sujay <sujayg@huawei.com> Thu, 24 August 2006 05:42 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GG7zO-0000Jh-AO; Thu, 24 Aug 2006 01:42:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GG7zN-0000DW-5v for ospf@ietf.org; Thu, 24 Aug 2006 01:42:49 -0400
Received: from szxga02-in.huawei.com ([61.144.161.54]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GG7zL-0005BF-3y for ospf@ietf.org; Thu, 24 Aug 2006 01:42:49 -0400
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0J4H00CZ1N34P8@szxga02-in.huawei.com> for ospf@ietf.org; Thu, 24 Aug 2006 13:54:41 +0800 (CST)
Received: from huawei.com ([172.24.1.24]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0J4H001MNN34OM@szxga02-in.huawei.com> for ospf@ietf.org; Thu, 24 Aug 2006 13:54:40 +0800 (CST)
Received: from dell60 ([10.18.7.146]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0J4H00CPIMTN4J@szxml04-in.huawei.com> for ospf@ietf.org; Thu, 24 Aug 2006 13:49:00 +0800 (CST)
Date: Thu, 24 Aug 2006 11:06:49 +0530
From: sujay <sujayg@huawei.com>
Subject: RE: [OSPF] Revised OSPF HMAC SHA Authentication Draft
In-reply-to: <77ead0ec0608232153j6eb2add0l42cbc084fe3c4ec3@mail.gmail.com>
To: 'Vishwas Manral' <vishwas.ietf@gmail.com>, paul@jakma.org
Message-id: <001601c6c73f$4c2d44a0$9207120a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AcbHOXspthwgVQ+TR2utIqxXNqmDIwABEZmw
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6
Cc: ospf@ietf.org, 'Mailing List' <OSPF@peach.ease.lsoft.com>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Agree, 
While a failed authentication could be basically due to configuration issues
or
Mismatched algo's.Where 'Configuration' can be changed, but a 'not supported
algo'
may need  an  Image upgrade. It's my guess image upgrade may not be
thoroughly welcome.
We do need a 'Must' support algo. clause.

Vishwas ; would it be a nice idea to add a section in the current draft,
talking about this issue
and with cross reference to the below mentioned drafts??


Regds,
Sujay G
My Location;
http://maps.google.com/maps?ll=14.626109,76.959229&spn=4.724852,7.525085&t=h
&hl=en


This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it! 
-----Original Message-----
From: Vishwas Manral [mailto:vishwas.ietf@gmail.com] 
Sent: Thursday, August 24, 2006 10:24 AM
To: paul@jakma.org
Cc: ospf@ietf.org; Mailing List
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft

Paul,

> There is though value in defining "MUST support" algos, otherwise poor 
> users could be faced with having routers which all implement OSPF but 
> can be made to interoperate unless authentication is left 
> unconfigured.
We have drafts to meet the following exact requirements:
http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-ospf-00.t
xt
 and
http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-isis-00.t
xt

for OSPF and IS-IS respectively.

Thanks,
Vishwas

On 8/24/06, Paul Jakma <paul@clubi.ie> wrote:
> On Wed, 23 Aug 2006, Dave Katz wrote:
>
> > Sigh.  C'mon, folks, there is no problem.
>
> > At the end of the day it doesn't matter if the value of 2 or 3 or
> > 42 is used; if there's a mismatch on the the algorithm ID, the 
> > algorithm, or the key, the authentication will fail, and if it all 
> > matches, it will work.
>
> Strongly concur.
>
> There is though value in defining "MUST support" algos, otherwise poor 
> users could be faced with having routers which all implement OSPF but 
> can be made to interoperate unless authentication is left 
> unconfigured.
>
> MD5 at least should be defined as a MUST support.
>
> (Despite the pre-image weaknesses, it's still not yet completely
>   insecure in MAC mode)
>
> regards,
> --
> Paul Jakma      paul@clubi.ie   paul@jakma.org  Key ID: 64A2FF6A

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf


_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email