IETF Logo Mail Archive

Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft

"Tom Sanders" <toms.sanders@gmail.com> Mon, 21 August 2006 11:20 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GF7ph-0001Gt-L2; Mon, 21 Aug 2006 07:20:41 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GF7pg-0001Go-5m for ospf@ietf.org; Mon, 21 Aug 2006 07:20:40 -0400
Received: from py-out-1112.google.com ([64.233.166.178]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GF7pe-0002XA-V0 for ospf@ietf.org; Mon, 21 Aug 2006 07:20:40 -0400
Received: by py-out-1112.google.com with SMTP id z59so1182593pyg for <ospf@ietf.org>; Mon, 21 Aug 2006 04:20:38 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=p1sp3IM7vT3Z6KeK9YTm8++G/1+Y3zZptLgeHQQ0sOJYq1W/dyFzRxVryAnsmHRAUS0PqYFPqGtn3JxXQ0B3PWgq2pCJUGtvrE+nCYKQic8Owm2eoYo95T4RkOVn2oVrinQm9j0BxzT4lHZCT0W1D5SWAXGEEKlDiJe0/LZyg4U=
Received: by 10.35.51.13 with SMTP id d13mr13094167pyk; Mon, 21 Aug 2006 04:20:38 -0700 (PDT)
Received: by 10.35.128.2 with HTTP; Mon, 21 Aug 2006 04:20:38 -0700 (PDT)
Message-ID: <6ed23a860608210420h19486857i748aa01cf65a91c9@mail.gmail.com>
Date: Mon, 21 Aug 2006 16:50:38 +0530
From: Tom Sanders <toms.sanders@gmail.com>
To: ospf@ietf.org
Subject: Re: [OSPF] Revised OSPF HMAC SHA Authentication Draft
In-Reply-To: <6e6ce9380608191759j6cee8034w44b0130d1d98d2e1@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20060819171729.55449.qmail@web25411.mail.ukl.yahoo.com> <6e6ce9380608191759j6cee8034w44b0130d1d98d2e1@mail.gmail.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc:
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
Errors-To: ospf-bounces@ietf.org

Folks,

Obviously the point that Erblichs is trying to make is that OSPF may
be "technically" capable of supporting HMAC-SHA authentication in its
current form, but OAM may be an issue and it may become harder to
debug an auth mismatch.

In the end the operator can always look at the router configurations
in case OSPF doesnt come up and would know that the auth algos dont
match. This can then be fixed.

Yeah ..Yeah .. I understand this!

What i miserably fail to understand is the reluctance in the WG to use
a new authentication type. We have 16 bits reserved for this field and
i dont see this being used up any time in the coming future.

Explictly indicating the auth algo details in the header makes, in my
view, debugging extremely easy. I understand that we would be eating
up type codes that we would have to fill in the OSPF header each time
we come up with a new authentication algorithm but given the size of
this field i dont think its a point of concern.

Is it possible to poll the WG on what they think is the right
approach? Chairs, Authors?

The poll should be on whether we should proceed as-is in the draft or
should we use a new type field for each new authentication scheme that
we come out with?

On 20/08/06, Phil Cowburn <phil.cowburn@gmail.com> wrote:
> I strongly agree with Manav here and an implementation must be able to
> demultiplex using the Key ID in the incoming packet. It is afterall
> for this very reason that we put the Key ID in the packet.
>
> Erblichs point, as i read it is, that most implementations (if not
> all) currently take type 2 to mean MD5. This may break once this draft
> becomes a standard, which it would, in some time.
>
> My take on this is that even if the WG agrees to Erblichs solution and
> introduces a new type, say 3 for HMAC-SHA-1 authentication, then
> somebody else could repeat the same argument and clamour for a new
> type when we're introducing newer authentication algorithms in the
> future.
>
> Lets move on from this issue.
>
> Phil

-- 
Toms.

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www1.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email