IETF Logo Mail Archive

Re: [OSPF] Supporting Authentication Trailer for OSPFv3

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Tue, 19 October 2010 00:54 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F6973A6A6C; Mon, 18 Oct 2010 17:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level:
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0CCvr20zC3rE; Mon, 18 Oct 2010 17:54:49 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by core3.amsl.com (Postfix) with ESMTP id 06AE43A6A32; Mon, 18 Oct 2010 17:54:48 -0700 (PDT)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id o9J0uCsK026597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 18 Oct 2010 19:56:15 -0500 (CDT)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o9J0u6ke032075 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 19 Oct 2010 06:26:08 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Tue, 19 Oct 2010 06:26:06 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Uma Chunduri <uma.chunduri@ericsson.com>
Date: Tue, 19 Oct 2010 06:26:05 +0530
Thread-Topic: Supporting Authentication Trailer for OSPFv3
Thread-Index: ActfY5sckmQl7a6EQfCfdawAHpKrwgMk6FCwALtrHmAACxw8cA==
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CF3F3A212@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350CF3CBA6B4@INBANSXCHMBSA1.in.alcatel-lucent.com> <7C362EEF9C7896468B36C9B79200D8350CF3F39B29@INBANSXCHMBSA1.in.alcatel-lucent.com> <D1D8138DDF34B34B8BC68A11262D10790AD751FFFB@EUSAACMS0701.eamcs.ericsson.se>
In-Reply-To: <D1D8138DDF34B34B8BC68A11262D10790AD751FFFB@EUSAACMS0701.eamcs.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33
Cc: "ospf@ietf.org" <ospf@ietf.org>, "karp@ietf.org" <karp@ietf.org>
Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 00:54:50 -0000

Hi Uma,

Thanks for the comments.
 
> 1. Page 3 - Sec 1 - I saw couple of places referencing 
> [RFC4522], LDAP?? 

My bad - it should have been RFC 4552 - "Authentication/Confidentiality for OSPFv3".

> 
> 2. Sec 2.2 
>    I didn't understand on what exactly is the requirement 
> that this has to be similar to OSPFv2?

It isnt. We're first trying to bring it at par with OSPFv2. Once the WG agrees that its something that they would want to work on we can introduce other changes. 

> 
> 3. Sec 3:
>    - Mentions Key-ID is 32 bit?? But from Figure-3 it's 8 bit?

Thanks for catching this - will fix the figure in the next version.

>    - Do you need to consider any thing in 
> draft-housley-saag-crypto-key-table-04.txt? It suggests 16 Bit Key-IDs
>      (this could be important as in future it should be tied 
> to AKMs for RPs?)
>    - Probably, it's better to be more than  8 bit to 
> facilitate association lkup from the DB.

We are suggesting a 32 bit Key ID, so I guess that would take care of this too.

> 
> 4. Sec 4.1
> 
>    - Figure-3 (Reserved , instead of 0?)

Yes, will do.

>    - Key-ID length inconsistency

Yup!

>  
> 5. Sec 4.2
>     
>    - I understand the proposal made is similar to OSPFv2 - 
> but as this as any way new for OSPF3 does it have to be 
> limited to HMAC-xxx?
>      Can AES-XCBC-xx  be considered (to give more choice and 
> for differentiation) 
>         - not questioning HMAC-SHA-256, HMAC-SHA-384 etc..
>         - as said to facilitate more options (in-built crypto 
> accelerators)

Yes, this definitely can be done. 

Currently OSPFv2 only supports HMAC. Its in my TODO list to write a small proposal about how OSPFv2 and OSPFv3 can use AEC-XCBC-xx algorithms for authenticating their protocol packets. I don't think there's any hurry as most vendors are still implementing rfc 5709.

> 
> 6. Sec 4.3
> 
>    - It would be better if this sections show what is 
> input/output to the crypto and what is authenticated through 
> 1-2 figures?
>    - Probably HMAC/crypto aspect can be as part of Appendix 
> (..you can keep the APAD aspect here)
> 
> 7. Would it be better to include IPv6 header too as part of 
> OSPF3 packet (..not only as current available AH option  
> gives this protection)

As I said earlier, I would first like to see if the WG is interested in working on a non IPSec authentication mechanism for OSPFv3. These things that can be sorted out once we have a go-ahead.

Cheers, Manav

>    
> Thanks,
> Uma

v2.23.0 | Report a Bug | By Email