draft-ietf-ospf-ospfv3-auth-07.txt : Questions
Erblichs <erblichs@EARTHLINK.NET> Fri, 11 February 2005 20:54 UTC
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA10597 for <ospf-archive@LISTS.IETF.ORG>; Fri, 11 Feb 2005 15:54:31 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <11.00F8379D@cherry.ease.lsoft.com>; Fri, 11 Feb 2005 15:54:21 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 57432431 for OSPF@PEACH.EASE.LSOFT.COM; Fri, 11 Feb 2005 15:54:19 -0500
Received: from 207.217.121.252 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Fri, 11 Feb 2005 15:54:19 -0500
Received: from h-68-164-82-176.snvacaid.dynamic.covad.net ([68.164.82.176] helo=earthlink.net) by pop-a065d14.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1Czhnt-00024z-00 for OSPF@PEACH.EASE.LSOFT.COM; Fri, 11 Feb 2005 12:54:17 -0800
X-Sender: "Erblichs" <@smtp.earthlink.net> (Unverified)
X-Mailer: Mozilla 4.72 [en]C-gatewaynet (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
References: <OF9345CE25.7DE72955-ON87256FA5.004FB5B7-85256FA5.0050629B@us.ibm.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <420D1C62.E55BE9D2@earthlink.net>
Date: Fri, 11 Feb 2005 12:58:10 -0800
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Erblichs <erblichs@EARTHLINK.NET>
Subject: draft-ietf-ospf-ospfv3-auth-07.txt : Questions
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: 7bit
Regarding http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-07.txt, 1) First, if the title specifies OSPFv3, should this RFC be making comparisons to OSPFv2? 2) There are two expriration dates specified on the first page: Auguest 2005 and June 2005, the later with the page 1 header. 3) Doesn't OSPFv3 specifiy Instance values in the headers so multiple instances can be matched with Authentication? This is a major diff between OSPFv2 and OSPFv3. Without the Instance field, only Auth/Encrypt could be used to distinguish multiple instances. You hide part of this when dealing with multiple SAs per link in section 8. 4) Isn't NULL authtication supported in v3? When we support NULL Auth, is that a must support for Auth? "Section 3. Implimentations conforming to this specification MUST support Authentication for OSPFv3." Does this prevent NULL auth? Is this right? 5) Why must v3 packets be sliently discarded when authentication/ confidentially is enabled? Why shouldn't their be calls into OSPF so OSPF can log these dropped packets. "4. Confidentiality * OSPFv3 packets that are not protected ... MUST be silently discarded." Doesn't silent discards prevent administrators from identifing adj failures, unsucessful secutity probing, non-synchronized keyrollovers, etc... 6) If a Implimentation does not support confidentiiality and conforms to this specifiecation, is the packet discard behaviour UNDEFINED? "implimentations ... SHOULD Support... ." 7) 5. Distinguishing OSPFv3 from OSPFv2 "OSPF version field in the OSPF header cannot be used" Then what was the use of this version field? Are you saying that if a implimentor pushes OSPFv3 packets into a IPv4 domain, then they must be processed as OSPFv2 pkts?????? I remember a discussion of pushing OSPFv2 into the IPv6 domain and/or OSPFv3 into IPv4. What was the result of this? Did the result invalidate this section? 8) "version field in IP header can be used" What if an implimentation strips the IP header before it passes it to OSPF?? Shouldn't they be stripped before lower layers are called? 9) 7. Key Managemement "it is not scalable" This means that you can't use even 2 communcation channels when different SAs are used for inbound and outbound traffic. It may be more proper to say that "it does not scale well". Mitchell Erblich
- Questions about OSPF v3 security draft Mike Fox
- draft-ietf-ospf-ospfv3-auth-07.txt : Questions Erblichs
- Re: Questions about OSPF v3 security draft Vishwas Manral
- Re: Questions about OSPF v3 security draft Mike Fox
- Re: Questions about OSPF v3 security draft Vishwas Manral
- Re: Questions about OSPF v3 security draft Vishwas Manral