Re: [OSPF] OSPF HMAC Cryptographic Authentication
Manav Bhatia <manav_bhatia06@yahoo.co.uk> Tue, 25 July 2006 14:34 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5NzZ-0008LW-TQ; Tue, 25 Jul 2006 10:34:37 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G5NzZ-0008LR-6G for ospf@ietf.org; Tue, 25 Jul 2006 10:34:37 -0400
Received: from web25411.mail.ukl.yahoo.com ([217.146.176.229]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1G5NzW-0003LX-Aj for ospf@ietf.org; Tue, 25 Jul 2006 10:34:37 -0400
Received: (qmail 18779 invoked by uid 60001); 25 Jul 2006 14:34:33 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=IUjT9/ICXuhowG5/bdPVypxSSSHWcXDAf+NmVDN83smEgMhMLNnTEb5zs//Gnrbrk0Gs9Ucmp7W4/VFmb5RYMnN6rhdGMtKhvR4L9OYrIURFfD9cavITUd56I+gQBZxIzEzOGDsULZC+557XUFU8qPlzfD9A8XE2h25ArOXWGfs= ;
Message-ID: <20060725143433.18777.qmail@web25411.mail.ukl.yahoo.com>
Received: from [202.144.106.189] by web25411.mail.ukl.yahoo.com via HTTP; Tue, 25 Jul 2006 14:34:33 GMT
Date: Tue, 25 Jul 2006 14:34:33 +0000
From: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
Subject: Re: [OSPF] OSPF HMAC Cryptographic Authentication
To: Phil Cowburn <phil.cowburn@gmail.com>, vishwas.ietf@gmail.com
In-Reply-To: <6e6ce9380607212051j5dbb9362q174cbf425a8b566e@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 200d029292fbb60d25b263122ced50fc
Cc: ospf@ietf.org
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Manav Bhatia <manav_bhatia06@yahoo.co.uk>
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org
Hi Phil, RFC 2104 has the C code that allows the text being hashed to be of an arbitary length; the only restriction imposed is that the length must be a multiple of 8 bits (octet). If you look at draft-eastlake-sha2-02.txt then it allows the text to be hashed to contain an arbitary number of bits. Similarly, the code in RFC 3174 is a "byte-level"implementation. The same draft allows the text to be of an arbitary length. It adds to the RFC 3174 API an additional call, SHA1FinalBits(), that lets the remaining bits to be added to the hash. I would prefer to refer to this draft as it (i) has full support for all the SHA2 algorithms and (ii) adds HMAC support for both SHA1 and SHA2 algorithms. Thanks, Manav ----- Original Message ---- From: Phil Cowburn <phil.cowburn@gmail.com> To: vishwas.ietf@gmail.com; rohitgupta416@indiatimes.com Cc: ospf@ietf.org Sent: Saturday, 22 July, 2006 9:21:44 AM Subject: Re: [OSPF] OSPF HMAC Cryptographic Authentication Hi, In Section 5 you've mentioned the block sizes without units. I presume they are in bytes, but it would be good if you explicitly state this. I think it might be good to refer to RFC 3174 somewhere. Also AFAIK RFC 2104 has the C code to compute HMAC when the text input is fixed in length. SHA algorithms are defined in terms of variable number of bits. There may thus be some modifications required in HMAC C code for SHA. You may want to capture this somewhere. Otherwise the draft looks in good shape and has been long due. Its time we all moved away from using MD5 to something thats more stronger. Is there a similar work for TCP based protocols like LDP and BGP? Or other routing protocols like RIP (naah .. am not sure if we really need something like this for RIP) and i-ISIS (for IP)? Phil ----- Original Message ---- From: Vishwas Manral <vishwas.ietf@gmail.com> To: Rohit Gupta <rohitgupta416@indiatimes.com> Cc: ospf@ietf.org Sent: Monday, 17 July, 2006 9:54:59 PM Subject: Re: [OSPF] OSPF HMAC Cryptographic Authentication Hi Rohit, The authors of the OSPF RFC have done it very intelligently. By allowing the KeyId field which is Opaque, the value of the KeyId itself defines a seperate security association(channel). IT is the understanding between the two ends, that a particular KeyId identifies a key as well as the cryptographic algorithm used. That is the reason we do not need any new fields. Thanks, Vishwas On 7/17/06, Rohit Gupta <rohitgupta416@indiatimes.com> wrote: > Hi, > > I could not see any new field added in the OSPF message. How do you then make out whether the OSPF router is using HMAC-SHA1 algorithm or the MD5 (the normal OSPF authentication algorithm)? > > Thanks, > Rohit > > ----- Original Message ---- > From: Manav Bhatia <manav_bhatia06@yahoo.co.uk> > To: ospf@ietf.org > Sent: Saturday, 15 July, 2006 5:06:45 AM > Subject: [OSPF] OSPF HMAC Cryptographic Authentication > > > Hi, > > We have just posted a draft that describes a mechanism for authenticating OSPF packets by making use of HMAC algorithm in conjunction with the SHA family of cryptographic hash functions. It would be great if the WG can provide some feedback and comments on the same. > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-white-ospf-hmac-sha-00.txt > > Thanks, > Manav > > > ----- Forwarded Message ---- > > From: Internet-Drafts@ietf.org > > To: i-d-announce@ietf.org > > Sent: Saturday, July 15, 2006 1:20:01 AM > > Subject: I-D ACTION:draft-bhatia-manral-white-ospf-hmac-sha-00.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > > > > > > Title : OSPF HMAC Cryptographic Authentication > > Author(s) : M. Bhatia, et al. > > Filename : draft-bhatia-manral-white-ospf-hmac-sha-00.txt > > Pages : 10 > > Date : 2006-6-14 > > > > This document describes a mechanism for authenticating OSPF packets > > by making use of the HMAC algorithm in conjunction with the SHA > > family of cryptographic hash functions. Because of the way the hash > > functions are used in HMAC construction, the collision attacks > > currently known against SHA-1 do not apply. > > > > This will be done in addition to the already documented > > authentication schemes described in the base specification. > > > > > > A URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-white-ospf-hmac-sha-00.txt > > > > To remove yourself from the I-D Announcement list, send a message to > > i-d-announce-request@ietf.org with the word unsubscribe in the body of the > > message. > > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce > > to change your subscription settings. > > > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www1.ietf.org/mailman/listinfo/ospf > > Sign Up for your FREE eWallet at www.wallet365.com > > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www1.ietf.org/mailman/listinfo/ospf > _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf
- [OSPF] OSPF HMAC Cryptographic Authentication Manav Bhatia
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Rohit Gupta
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Vishwas Manral
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Acee Lindem
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Phil Cowburn
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Vishwas Manral
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Vishwas Manral
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Manav Bhatia
- Re: [OSPF] OSPF HMAC Cryptographic Authentication Phil Cowburn