Re: draft-ietf-ospf-ospfv3-auth-04.txt

Mukesh.Gupta@NOKIA.COM Wed, 07 July 2004 07:16 UTC

Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA27077 for <ospf-archive@LISTS.IETF.ORG>; Wed, 7 Jul 2004 03:16:07 -0400 (EDT)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <14.00E09223@cherry.ease.lsoft.com>; Wed, 7 Jul 2004 3:16:05 -0400
Received: from PEACH.EASE.LSOFT.COM by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 1.8e) with spool id 24815180 for OSPF@PEACH.EASE.LSOFT.COM; Wed, 7 Jul 2004 03:16:04 -0400
Received: from 131.228.20.21 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0i) with TCP; Wed, 7 Jul 2004 03:16:04 -0400
Received: from esdks002.ntc.nokia.com (esdks002.ntc.nokia.com [172.21.138.121]) by mgw-x1.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i677G2J05462 for <OSPF@PEACH.EASE.LSOFT.COM>; Wed, 7 Jul 2004 10:16:03 +0300 (EET DST)
X-Scanned: Wed, 7 Jul 2004 10:14:17 +0300 Nokia Message Protector V1.3.31 2004060815 - RELEASE
Received: (from root@localhost) by esdks002.ntc.nokia.com (8.12.9/8.12.9) id i677EHvc007342 for <OSPF@PEACH.EASE.LSOFT.COM>; Wed, 7 Jul 2004 10:14:17 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks002.ntc.nokia.com 009vNE2c; Wed, 07 Jul 2004 10:13:06 EEST
Received: from daebh002.NOE.Nokia.com (daebh002.americas.nokia.com [10.241.35.122]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i677D4H00509 for <OSPF@PEACH.EASE.LSOFT.COM>; Wed, 7 Jul 2004 10:13:04 +0300 (EET DST)
Received: from daebe009.NOE.Nokia.com ([10.241.35.109]) by daebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Wed, 7 Jul 2004 02:13:03 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Topic: draft-ietf-ospf-ospfv3-auth-04.txt
Thread-Index: AcRjzbAdHlvkj1RrQwCOMHV7f8mrtQAIyi3g
X-OriginalArrivalTime: 07 Jul 2004 07:13:03.0580 (UTC) FILETIME=[D806A9C0:01C463F1]
Message-ID: <8D260779A766FB4A9C1739A476F84FA4026AB133@daebe009.americas.nokia.com>
Date: Wed, 7 Jul 2004 02:13:03 -0500
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Mukesh.Gupta@NOKIA.COM
Subject: Re: draft-ietf-ospf-ospfv3-auth-04.txt
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: quoted-printable

Acee/Mitchell,

Comments inline..

> > Ace, et al,
> >
> >         I realize that this is a late comment..
> >
> >         Section 3. Authentication
> >
> >                 But this really applies throughout
> >                 this doc.
> >
> >       "OSPF packets recieved ... MUST be dropped ..."
> >
> >         Their is no mention that I have seen that identifies
> >         an appropriate MISMATCH message that allows the
> >         recv'r administrator to correct this or other bad
> >         configurations.
> >
> I don't think we should try and standardise logging and/or
> log throttling mechanisms. The OSPFv2 MIB does define an
> ospfIfAuthFailure trap and I would imagine that when traps
> are added to the OSPFv3 MIB, this one would be included.
> It might be ok to say add a general statement saying that there
> should be some type of local auth failure notification and that
> it would be a good idea to throttle them.

I don't think OSPFv3 MIB could include this trap.  As the packets
are being dropped by IPsec before they even reach OSPF, OSPF is
not going to know about the packets being dropped.

The point that I am not able to understand is that how is it
possible that some packets will be dropped and the others will
not be ?  If the keys are matching then all the packets will
be delivered to OSPF.  If there is a mismatch in the keys,
all the packets will be dropped by the IPsec.  The OSPF 
adjacency will be down in the mismatch case so the admin
will definitely know about that :)

> >         Also, can a OSPF router sychronize
> >         or update its database with another router if a
> >         percentage of its packets are dropped?
>
> It depends on the percentage.
>
> >
> >         I keep on thinking that dropped msgs of this type
> >         need to be tracked and as much information should
> >         be logged about the xmit'er of the MISMATCHED pkt.
> >
> >         What happens if some OSPF packets are dropped from
> >         a router and others are accepted?
>
> It depends on which packets :^)

Again when do you expect to see a percentage of the pkts
being dropped ?

> >         Thus, I would think and this is a bit extreme, if
> >         a OSPF packet is recieved that has a mismatch in
> >         any encryption or authentication field(s) from the
> >         xmit router, the adjacency or its 2-way link status
> >         should be dropped. The router can not be a trusted
> >         router if some of its packets are untrusted and/or
> >         its contents are unknown. Can it?
> >         Yes, this is assuming that the router-id is known.
>
> I disagree. Authentication should be done on a packet by packet
> basis without OSPF trying to maintain any state other than what is
> maintained by IPSEC itself.

I also disagree.  First of all I am not able to understand
the situation in which some of the packets are being dropped
and some of them are being delivered to OSPF.

Regards
Mukesh