Re: [OSPF] Authentication/Confidentiality for OSPFv2
Paul Wells <pauwells@cisco.com> Wed, 19 August 2009 16:58 UTC
Return-Path: <pauwells@cisco.com>
X-Original-To: ospf@core3.amsl.com
Delivered-To: ospf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D60D93A6A48 for <ospf@core3.amsl.com>; Wed, 19 Aug 2009 09:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgBAfOTHx-wR for <ospf@core3.amsl.com>; Wed, 19 Aug 2009 09:58:40 -0700 (PDT)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id 07C013A6882 for <ospf@ietf.org>; Wed, 19 Aug 2009 09:58:40 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEADPMi0qrR7PE/2dsb2JhbAC9YIgvkU4FhBqBUw
X-IronPort-AV: E=Sophos;i="4.43,409,1246838400"; d="scan'208";a="90711357"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-5.cisco.com with ESMTP; 19 Aug 2009 16:58:45 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n7JGwj14017616; Wed, 19 Aug 2009 09:58:45 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n7JGwj6Y020642; Wed, 19 Aug 2009 16:58:45 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 19 Aug 2009 09:58:45 -0700
Received: from pauwells-linux.cisco.com ([10.19.20.98]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 19 Aug 2009 09:58:44 -0700
Message-ID: <4A8C2F43.6010509@cisco.com>
Date: Wed, 19 Aug 2009 11:58:43 -0500
From: Paul Wells <pauwells@cisco.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090320)
MIME-Version: 1.0
To: Acee Lindem <acee@redback.com>
References: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com>
In-Reply-To: <25C684A4-6D5E-4924-892E-758F0AB1A36B@redback.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 19 Aug 2009 16:58:44.0902 (UTC) FILETIME=[4FF19C60:01CA20EE]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1551; t=1250701125; x=1251565125; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pauwells@cisco.com; z=From:=20Paul=20Wells=20<pauwells@cisco.com> |Subject:=20Re=3A=20[OSPF]=20Authentication/Confidentiality =20for=20OSPFv2 |Sender:=20; bh=OJqSZjmGg+w5WnvnODQDAx7dLrGEi/GzVTtcKxVyOpk=; b=PWwavH3WlwV+7TKue7UiIB+02FDYpr3ncjZAtddXHY1BZNWGftE/HlqFoB OldS6wDCaNE1jqIXWx8mat/sgjiYdC/rQx+lWQwvgSAN+Yq1Agl+vcDqUpwQ TvC6+f1g0A;
Authentication-Results: sj-dkim-4; header.From=pauwells@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: OSPF List <ospf@ietf.org>, Suresh Melam <nmelam@juniper.net>
Subject: Re: [OSPF] Authentication/Confidentiality for OSPFv2
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2009 16:58:40 -0000
Hi Acee, Before we make this a working group document I'd like to hear what real problem in OSPFv2 this proposal is addressing. With draft-ietf-ospf-hmac-sha we are upgrading the authentication algorithms used by OSPFv2 to the same ones commonly used with IPSec. While the optional use of AH does authenticate additional bits of the IP header, I'm not sure I see a significant benefit in that. On the other hand, we lose the replay protection we currently have in OSPFv2. The only new capability I see is the option of encrypting the protocol traffic while, presumably, leaving everything else in the clear. In my opinion if you really care about confidentiality you'll run everything, including OSPF, through an IPSec tunnel. I'd rather see the WG spend it's time improving RFC 4552 by allowing for automated rekeying (at least on P2P links) rather than simply copying the existing OSPFv3 spec to OSPFv2. Regards, Paul Acee Lindem wrote: > For some time we've discussed adding IPsec support for OSPFv2 analogous > to what we have for OSPFv3. The draft subject draft describes how we'd > build on the OSPFv3 support to support OSPFv2: > > http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt > > What are the current thoughts as far as adding this as a WG document? > > Thanks, > Acee > P.S. The formatting issues will be fixed in the next > revision._______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf
- [OSPF] Authentication/Confidentiality for OSPFv2 Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Michael Barnes
- Re: [OSPF] Authentication/Confidentiality for OSP… Paul Wells
- Re: [OSPF] Authentication/Confidentiality for OSP… Acee Lindem
- Re: [OSPF] Authentication/Confidentiality for OSP… Vishwas Manral
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff
- Re: [OSPF] Authentication/Confidentiality for OSP… Anton Smirnov
- Re: [OSPF] Authentication/Confidentiality for OSP… Stan Ratliff