IETF Logo Mail Archive

Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft

Erblichs <erblichs@earthlink.net> Mon, 28 August 2006 21:14 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHoQl-0001NV-9c; Mon, 28 Aug 2006 17:14:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHoPz-0000yu-FB for ospf@ietf.org; Mon, 28 Aug 2006 17:13:15 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHnXZ-0003IL-HN for ospf@ietf.org; Mon, 28 Aug 2006 16:17:01 -0400
Received: from elasmtp-kukur.atl.sa.earthlink.net ([209.86.89.65]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GHnSP-0007FN-U2 for ospf@ietf.org; Mon, 28 Aug 2006 16:11:44 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=QrrEOovwkrM8PnuYWBq+BYCwbMK8wraVQURhZGOT3HBYelO8QeJHbMSwDSATCBbu; h=Received:Message-ID:Date:From:X-Sender:X-Mailer:X-Accept-Language:MIME-Version:To:CC:Subject:References:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [68.164.91.216] (helo=earthlink.net) by elasmtp-kukur.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GHnSI-0007QE-TX; Mon, 28 Aug 2006 16:11:35 -0400
Message-ID: <44F34E34.5CFD81A4@earthlink.net>
Date: Mon, 28 Aug 2006 13:12:36 -0700
From: Erblichs <erblichs@earthlink.net>
X-Sender: "Erblichs" <erblichs@earthlink.net@smtpauth.earthlink.net> (Unverified)
X-Mailer: Mozilla 4.72 [en]C-gatewaynet (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
References: <77ead0ec0608232153j6eb2add0l42cbc084fe3c4ec3@mail.gmail.com> <001601c6c73f$4c2d44a0$9207120a@china.huawei.com> <77ead0ec0608280318p1b73e218v8bca87253ae30933@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 074f60c55517ea841aa676d7e74259b7b3291a7d08dfec79b4fc5b86fdbb9ace153a64c3f263bb67350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 68.164.91.216
X-Spam-Score: -1.7 (-)
X-Scan-Signature: 2ed806e2f53ff1a061ad4f97e00345ac
Cc: ospf@ietf.org, paul@jakma.org, Mailing List <OSPF@peach.ease.lsoft.com>
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Group,

	Sometimes a minor opinion..

	First. Up to this point, IMO, 99%+ nbr misconfigs
	could be debuged at 1 local router with review of
	incoming pkts. With this "work-in-progress", 
	this will NO longer be the case if we overload
	type 2.

	What is a 'Must' clause going to achieve?

	  By default ALL implementations support MD5, simple/clear,
	  and NULL auth. The only high probability of a nbr
	  formation is to use one of these three. Yes, MD5 was
	  the defacto standand auth 2 algor.

	  Thus, any algor that super-ceeds one of these auths,
	  at this time, will not guarantee interoperability.

	  However, as pointed out in the draft, the highest
	  common auth is not highly secure, but could be used
	  as a fall back. Yes, the admin would see either before
	  or after a nbr formation attempt that a mismatch
	  exists, and reconfigs the routers to use the fallback.

	  Thus, to support backward compatibility and to secure
	  against SOME attacks, IMO all configs SHOULD/MUST support
	  MD5. 

	  If this is the case, would the clause only improve the
	  chance that "MD5" is not removed as newer algors are
	  supported?

	  Or is their a thought for a algor other than MD5 to
	  specified as the MUST algor?


	Mitchell Erblich
	----------------
	

	  
	  

Vishwas Manral wrote:
> 
> Sujay,
> 
> I agree we can include that in the draft. The reason as well as the
> links to the draft.
> 
> Thanks,
> Vishwas
> 
> On 8/24/06, sujay <sujayg@huawei.com> wrote:
> > Agree,
> > While a failed authentication could be basically due to configuration issues
> > or
> > Mismatched algo's.Where 'Configuration' can be changed, but a 'not supported
> > algo'
> > may need  an  Image upgrade. It's my guess image upgrade may not be
> > thoroughly welcome.
> > We do need a 'Must' support algo. clause.
> >
> > Vishwas ; would it be a nice idea to add a section in the current draft,
> > talking about this issue
> > and with cross reference to the below mentioned drafts??
> >
> >
> > Regds,
> > Sujay G
> > My Location;
> > http://maps.google.com/maps?ll=14.626109,76.959229&spn=4.724852,7.525085&t=h
> > &hl=en
> >
> >
> > This e-mail and attachments contain confidential information from HUAWEI,
> > which is intended only for the person or entity whose address is listed
> > above. Any use of the information contained herein in any way (including,
> > but not limited to, total or partial disclosure, reproduction, or
> > dissemination) by persons other than the intended recipient's) is
> > prohibited. If you receive this e-mail in error, please notify the sender by
> > phone or email immediately and delete it!
> > -----Original Message-----
> > From: Vishwas Manral [mailto:vishwas.ietf@gmail.com]
> > Sent: Thursday, August 24, 2006 10:24 AM
> > To: paul@jakma.org
> > Cc: ospf@ietf.org; Mailing List
> > Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
> >
> > Paul,
> >
> > > There is though value in defining "MUST support" algos, otherwise poor
> > > users could be faced with having routers which all implement OSPF but
> > > can be made to interoperate unless authentication is left
> > > unconfigured.
> > We have drafts to meet the following exact requirements:
> > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-ospf-00.t
> > xt
> >  and
> > http://www.ietf.org/internet-drafts/draft-bhatia-manral-crypto-req-isis-00.t
> > xt
> >
> > for OSPF and IS-IS respectively.
> >
> > Thanks,
> > Vishwas
> >
> > On 8/24/06, Paul Jakma <paul@clubi.ie> wrote:
> > > On Wed, 23 Aug 2006, Dave Katz wrote:
> > >
> > > > Sigh.  C'mon, folks, there is no problem.
> > >
> > > > At the end of the day it doesn't matter if the value of 2 or 3 or
> > > > 42 is used; if there's a mismatch on the the algorithm ID, the
> > > > algorithm, or the key, the authentication will fail, and if it all
> > > > matches, it will work.
> > >
> > > Strongly concur.
> > >
> > > There is though value in defining "MUST support" algos, otherwise poor
> > > users could be faced with having routers which all implement OSPF but
> > > can be made to interoperate unless authentication is left
> > > unconfigured.
> > >
> > > MD5 at least should be defined as a MUST support.
> > >
> > > (Despite the pre-image weaknesses, it's still not yet completely
> > >   insecure in MAC mode)
> > >
> > > regards,
> > > --
> > > Paul Jakma      paul@clubi.ie   paul@jakma.org  Key ID: 64A2FF6A
> >
> > _______________________________________________
> > OSPF mailing list
> > OSPF@ietf.org
> > https://www1.ietf.org/mailman/listinfo/ospf
> >
> >
> 
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www1.ietf.org/mailman/listinfo/ospf

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email