IETF Logo Mail Archive

Re: Questions about OSPF v3 security draft

Vishwas Manral <Vishwas@SINETT.COM> Tue, 15 February 2005 04:52 UTC

Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA26703 for <ospf-archive@LISTS.IETF.ORG>; Mon, 14 Feb 2005 23:52:31 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <13.00F8D47B@cherry.ease.lsoft.com>; Mon, 14 Feb 2005 23:52:26 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 57851506 for OSPF@PEACH.EASE.LSOFT.COM; Mon, 14 Feb 2005 23:52:23 -0500
Received: from 63.197.255.158 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Mon, 14 Feb 2005 23:52:23 -0500
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C5131B.9A22B41C"
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Thread-Topic: Questions about OSPF v3 security draft
Thread-Index: AcUQSDbJNaXAodg2QlWcHOtQ3pQZYQC0ndZQ
Message-ID: <BB6D74C75CC76A419B6D6FA7C38317B2628A8C@sinett-sbs.SiNett.LAN>
Date: Mon, 14 Feb 2005 21:01:28 -0800
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Vishwas Manral <Vishwas@SINETT.COM>
Subject: Re: Questions about OSPF v3 security draft
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list

Hi Mike,

 

I think both the authors are on leave, so they will probably reply
later.

 

However regarding the first point, I agree the wording should be
clearer. However what it means is we will use the same crypto-algorithm
and keys for all traffic to a neighbor over an interface.

 

Regarding the second point, I think I too have brought the issue on this
list and the reply I think was that the draft does not prohibit the use
of IKE for unicast flows.

 


Thanks,

Vishwas

________________________________

From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Mike
Fox
Sent: Friday, February 11, 2005 8:04 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Questions about OSPF v3 security draft

 


Regarding
http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-07.txt,
and the previous drafts, a couple of questions have come up in our shop.


1) Section 7, 2nd paragraph says "the implementations MUST use manually
configured keys with same SA for inbound and outbound traffic (as shown
in figure 3).  I assume the "same SA" MUST rule applies to multicast
traffic only and not unicast traffic. This is because an SA is defined
as an SPI, security protocol (AH or ESP), and destination IP address.
For unicast addresses, by definition there will be as many SAs as there
are unicast destination addresses. Therefore, I don't think it is
possible to apply this MUST rule given the current IPSec definition (RFC
2401 section 4.1) of an SA for unicast. Assuming the intention of the
draft was to apply only to multicast and given the number of potential
SAs carrying unicast traffic, it would seem that using IKE to setup the
SAs dynamically would be a reasonable alternative to manual keying.     
  
2)Section 9, 2nd paragraph discusses setting up a "secure IPSec channel
dynamically once it acquires the required information".  Since this
traffic is unicast only, IKE could easily set up the required SAs
without knowing the specific IP addresses in advance. Creating SAs
dynamically do not fit easily within scope of manual SA functional
capabilities. Why not use IKE for this traffic? Is this an acceptable
option?   

Mike 

-----------------------------------------------------------------------
Enterprise Network Solutions
-----------------------------------------------------------------------
Research Triangle Park, NC  USA

v2.23.0 | Report a Bug | By Email