Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
Erblichs <erblichs@earthlink.net> Mon, 28 August 2006 21:14 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHoQl-0001NV-9c; Mon, 28 Aug 2006 17:14:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHoPz-0000yu-FB for ospf@ietf.org; Mon, 28 Aug 2006 17:13:15 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHnXZ-0003IL-HN for ospf@ietf.org; Mon, 28 Aug 2006 16:17:01 -0400
Received: from elasmtp-kukur.atl.sa.earthlink.net ([209.86.89.65]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GHnSP-0007FN-U2 for ospf@ietf.org; Mon, 28 Aug 2006 16:11:44 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=QrrEOovwkrM8PnuYWBq+BYCwbMK8wraVQURhZGOT3HBYelO8QeJHbMSwDSATCBbu; h=Received:Message-ID:Date:From:X-Sender:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [68.164.91.216] (helo=earthlink.net) by elasmtp-kukur.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GHnSI-0007QE-TX; Mon, 28 Aug 2006 16:11:35 -0400
Message-ID: <44F34E34.5CFD81A4@earthlink.net>
Date: Mon, 28 Aug 2006 13:12:36 -0700
From: Erblichs <erblichs@earthlink.net>
X-Sender: "Erblichs" <erblichs@earthlink.net@smtpauth.earthlink.net> (Unverified)
X-Mailer: Mozilla 4.72 [en]C-gatewaynet (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
References: <77ead0ec0608232153j6eb2add0l42cbc084fe3c4ec3@mail.gmail.com> <001601c6c73f$4c2d44a0$9207120a@china.huawei.com> <77ead0ec0608280318p1b73e218v8bca87253ae30933@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 074f60c55517ea841aa676d7e74259b7b3291a7d08dfec79b4fc5b86fdbb9ace153a64c3f263bb67350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 68.164.91.216
X-Spam-Score: -1.7 (-)
X-Scan-Signature: 2ed806e2f53ff1a061ad4f97e00345ac
Cc: ospf@ietf.org, paul@jakma.org, Mailing List <OSPF@peach.ease.lsoft.com>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org
Group, Sometimes a minor opinion.. First. Up to this point, IMO, 99%+ nbr misconfigs could be debuged at 1 local router with review of incoming pkts. With this "work-in-progress", this will NO longer be the case if we overload type 2. What is a 'Must' clause going to achieve? By default ALL implementations support MD5, simple/clear, and NULL auth. The only high probability of a nbr formation is to use one of these three. Yes, MD5 was the defacto standand auth 2 algor. Thus, any algor that super-ceeds one of these auths, at this time, will not guarantee interoperability. However, as pointed out in the draft, the highest common auth is not highly secure, but could be used as a fall back. Yes, the admin would see either before or after a nbr formation attempt that a mismatch exists, and reconfigs the routers to use the fallback. Thus, to support backward compatibility and to secure against SOME attacks, IMO all configs SHOULD/MUST support MD5. If this is the case, would the clause only improve the chance that "MD5" is not removed as newer algors are supported? Or is their a thought for a algor other than MD5 to specified as the MUST algor? Mitchell Erblich ---------------- Vishwas Manral wrote: > > Sujay, > > I agree we can include that in the draft. The reason as well as the > links to the draft. > > Thanks, > Vishwas > > On 8/24/06, sujay <sujayg@huawei.com> wrote: > > Agree, > > While a failed authentication could be basically due to configuration issues > > or > > Mismatched algo's.Where 'Configuration' can be changed, but a 'not supported > > algo' > > may need an Image upgrade. It's my guess image upgrade may not be > > thoroughly welcome. > > We do need a 'Must' support algo. clause. > > > > Vishwas ; would it be a nice idea to add a section in the current draft, > > talking about this issue > > and with cross reference to the below mentioned drafts?? > > > > > > Regds, > > Sujay G > > My Location; > > http://maps.google.com/maps?ll=14.626109,76.959229&spn=4.724852,7.525085&t=h > > &hl=en > > > > > > This e-mail and attachments contain confidential information from HUAWEI, > > which is intended only for the person or entity whose address is listed > > above. Any use of the information contained herein in any way (including, > > but not limited to, total or partial disclosure, reproduction, or > > dissemination) by persons other than the intended recipient's) is > > prohibited. If you receive this e-mail in error, please notify the sender by > > phone or email immediately and delete it! > > -----Original Message----- > > From: Vishwas Manral [mailto:vishwas.ietf@gmail.com] > > Sent: Thursday, August 24, 2006 10:24 AM > > To: paul@jakma.org > > Cc: ospf@ietf.org; Mailing List > > Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft > > > > Paul, > > > > > There is though value in defining "MUST support" algos, otherwise poor > > > users could be faced with having routers which all implement OSPF but > > > can be made to interoperate unless authentication is left > > > unconfigured. > > We have drafts to meet the following exact requirements: > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-ospf-00.t > > xt > > and > > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-isis-00.t > > xt > > > > for OSPF and IS-IS respectively. > > > > Thanks, > > Vishwas > > > > On 8/24/06, Paul Jakma <paul@clubi.ie> wrote: > > > On Wed, 23 Aug 2006, Dave Katz wrote: > > > > > > > Sigh. C'mon, folks, there is no problem. > > > > > > > At the end of the day it doesn't matter if the value of 2 or 3 or > > > > 42 is used; if there's a mismatch on the the algorithm ID, the > > > > algorithm, or the key, the authentication will fail, and if it all > > > > matches, it will work. > > > > > > Strongly concur. > > > > > > There is though value in defining "MUST support" algos, otherwise poor > > > users could be faced with having routers which all implement OSPF but > > > can be made to interoperate unless authentication is left > > > unconfigured. > > > > > > MD5 at least should be defined as a MUST support. > > > > > > (Despite the pre-image weaknesses, it's still not yet completely > > > insecure in MAC mode) > > > > > > regards, > > > -- > > > Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A > > > > _______________________________________________ > > OSPF mailing list > > OSPF@ietf.org > > https://www1.ietf.org/mailman/listinfo/ospf > > > > > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www1.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org https://www1.ietf.org/mailman/listinfo/ospf
- [OSPF] Revised OSPF HMAC SHA Authentication Draft Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Phil Cowburn
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Phil Cowburn
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… tom.petch
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Michael J Barnes
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Russ White
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… Manav Bhatia
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Dave Katz
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Paul Jakma
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- RE: [OSPF] Revised OSPF HMAC SHA Authentication D… sujay
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Erblichs
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Vishwas Manral
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Tom Sanders
- Re: [OSPF] Revised OSPF HMAC SHA Authentication D… Acee Lindem