Re: [OSPF] Supporting Authentication Trailer for OSPFv3
Curtis Villamizar <curtis@occnc.com> Thu, 24 February 2011 04:09 UTC
Return-Path: <curtis@occnc.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 96B033A6953 for <ospf@core3.amsl.com>; Wed, 23 Feb 2011 20:09:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WVpsHlwgD86 for <ospf@core3.amsl.com>; Wed, 23 Feb 2011 20:09:47 -0800 (PST)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by core3.amsl.com (Postfix) with ESMTP id DF1F73A6960 for <ospf@ietf.org>; Wed, 23 Feb 2011 20:09:46 -0800 (PST)
Received: from harbor.orleans.occnc.com (harbor.orleans.occnc.com [173.9.106.135]) by harbor.orleans.occnc.com (8.13.6/8.13.6) with ESMTP id p1O4ARPV079556; Wed, 23 Feb 2011 23:10:27 -0500 (EST) (envelope-from curtis@harbor.orleans.occnc.com)
Message-Id: <201102240410.p1O4ARPV079556@harbor.orleans.occnc.com>
To: Acee Lindem <acee.lindem@ericsson.com>
From: Curtis Villamizar <curtis@occnc.com>
In-reply-to: Your message of "Thu, 17 Feb 2011 11:45:12 EST." <0CF22788-92B1-4BAF-B6A3-175C3687FD6D@ericsson.com>
Date: Wed, 23 Feb 2011 23:10:27 -0500
Sender: curtis@occnc.com
Cc: "ospf@ietf.org" <ospf@ietf.org>, Alan Davey <Alan.Davey@metaswitch.com>
Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: curtis@occnc.com
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 04:09:53 -0000
In message <0CF22788-92B1-4BAF-B6A3-175C3687FD6D@ericsson.com> Acee Lindem writes: > > Hi Srini, > > The fact that graceful restart will be more difficult is part of the > cost of implementing this draft. One of the jobs of the OSPF WG is > determining whether the "medicine is worse than the disease". In this > case, the disease is well-timed replay attacks and the medicine is the > proposed solution. > > Thanks, > Acee Acee, et al. I hope no one minds that I trimmed the rest of the context. It should be possible to on startup negociate a new initial sequence number through an exchange that involves the exchange of an encrypted or authenticated challenge using a shared key. This would involve additional protocol exchange which is in neither of the security drafts being considered, but either could be changed. Do so would allow the replay attack problem to be addressed without creating a new problem due to forgetting the last sequence number that was used after a gracefull restart wakeup. If we are going to go to this extent, adding a negociation step, then you might also want to add an option to exchange an encrypted session key to avoid an attack where enough "in the clear" information is authenticated to guess the key in use. I can barely keep up with IETF email so I'd rather someone else pick this idea up if its thought to be a good idea (maybe it isn't). Now back to lurking. Curtis
- [OSPF] Fwd: [karp] Supporting Authentication Trai… mark Brown
- Re: [OSPF] Supporting Authentication Trailer for … Alan Davey
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- [OSPF] Supporting Authentication Trailer for OSPF… Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Paul Wells
- Re: [OSPF] Supporting Authentication Trailer for … Glen Kent
- Re: [OSPF] Supporting Authentication Trailer for … mark Brown
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Michael Barnes
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Abhay Roy
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Rajesh Shetty
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Rajesh Shetty
- Re: [OSPF] Supporting Authentication Trailer for … Vishwas Manral
- Re: [OSPF] Supporting Authentication Trailer for … Rajesh Shetty
- Re: [OSPF] Supporting Authentication Trailer for … Vishwas Manral
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Vishwas Manral
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Vishwas Manral
- Re: [OSPF] Supporting Authentication Trailer for … Curtis Villamizar
- [OSPF] Supporting Authentication Trailer for OSPF… Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … shraddha
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Michael Barnes
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] [karp] Supporting Authentication Trail… Glen Kent
- Re: [OSPF] Supporting Authentication Trailer for … Alan Davey
- Re: [OSPF] Supporting Authentication Trailer for … Srinivasan K L
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Srinivasan K L
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- [OSPF] Security Extension for OSPFv2 when using M… Acee Lindem
- Re: [OSPF] Supporting Authentication Trailer for … Acee Lindem
- Re: [OSPF] Security Extension for OSPFv2 when usi… Srinivasan K L
- Re: [OSPF] Security Extension for OSPFv2 when usi… Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Srinivasan K L
- Re: [OSPF] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [OSPF] Supporting Authentication Trailer for … Srinivasan K L