Re: [OSPF] New Version Notification for draft-acee-ospf-rfc6506bis-01.txt
Acee Lindem <acee.lindem@ericsson.com> Wed, 12 June 2013 20:59 UTC
Return-Path: <prvs=887540fea2=acee.lindem@ericsson.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6191111E80F0 for <ospf@ietfa.amsl.com>; Wed, 12 Jun 2013 13:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PY-01-ofDFBU for <ospf@ietfa.amsl.com>; Wed, 12 Jun 2013 13:59:17 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id 942D611E810E for <ospf@ietf.org>; Wed, 12 Jun 2013 13:59:16 -0700 (PDT)
X-AuditID: c6180641-b7f0e6d0000015f1-cb-51b8e12315cf
Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id D0.44.05617.321E8B15; Wed, 12 Jun 2013 22:59:16 +0200 (CEST)
Received: from EUSAAMB101.ericsson.se ([147.117.188.118]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.02.0328.009; Wed, 12 Jun 2013 16:59:15 -0400
From: Acee Lindem <acee.lindem@ericsson.com>
To: "Marek Karasek (mkarasek)" <mkarasek@cisco.com>
Thread-Topic: [OSPF] New Version Notification for draft-acee-ospf-rfc6506bis-01.txt
Thread-Index: AQHOZpfDRu1KsPZQpUSv1C6bqb0hGpkwxEsAgAAE6QCAAZbKAA==
Date: Wed, 12 Jun 2013 20:59:15 +0000
Message-ID: <94A203EA12AECE4BA92D42DBFFE0AE47165A94@eusaamb101.ericsson.se>
In-Reply-To: <94A203EA12AECE4BA92D42DBFFE0AE47163A7A@eusaamb101.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.5.121010
x-originating-ip: [147.117.188.134]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <626919D23DD9184EBAFCCEB25647D543@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFLMWRmVeSWpSXmKPExsUyuXRPlK7Kwx2BBpu/8Fj8/NLJatFy7x67 A5PHlN8bWT2WLPnJFMAUxW2TlFhSFpyZnqdvl8Cd8fjEa5aC31YVD+ZeY2pgvKPfxcjJISFg ItG0cDsbhC0mceHeeiCbi0NI4CijxLUbzcwQznJGiR+HnzOBVLEJ6Eg8f/QPKMHBISJgLDHr DitImFlAWeJx12qwQcICIRLnWk4yQpSESpzZVAsSFhFwkth06gIjiM0ioCrx7O9sdhCbV8Bb Yv3bPhYQm1PAR+Lig2NgcUage76fWsMEMV5c4taT+UwQdwpILNlznhnCFpV4+fgf2AmiAnoS bcfOsEPElSWWPNnPAtGrI7Fg9yc2CNtaYtaHNqiTtSWWLXzNDHGDoMTJmU9YJjCKz0KybhaS 9llI2mchaZ+FpH0BI+sqRo7S4tSy3HQjw02MwKg6JsHmuINxwSfLQ4zSHCxK4ryxqjsChQTS E0tSs1NTC1KL4otKc1KLDzEycXCCCC6pBkbmLOnDLdfS2ufmOLuf9lbyfLfNdcl7jyddk1fO vl2y6pO12GSGb5d84q7Pufjym+y3nG97xeIfWgU3tv14ssGpoLk75EbbJcWoo9xy13Z2X9XV UWfk85kd5TQzMEZc/WPPu6Ubl/99PftW+gMllq+lMU1v57PufxV3SvD06/sfmQNfhZ6Qu2ap xFKckWioxVxUnAgAfbRKX30CAAA=
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] New Version Notification for draft-acee-ospf-rfc6506bis-01.txt
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2013 20:59:23 -0000
Hi Marek,
I thought about this and I think we need to modify the behavior in
transition mode for this to provide a smooth transition. An OSPFv3 router
in transition mode needs to "be conservative in what it sends and liberal
in what it accepts". Hence, in transition mode, the router would accept
packet with and without an authentication trailer but would not include
the authentication trailer in this mode. If you don't do it this way,
you'll have a deployment window problem since routers in transition mode
will still be sending packets that won't be accepted by routers that have
not yet been converted - they'll be dropped due to checksum errors. If you
don't include the authentication header, you just need to:
1. Convert all the nodes in the routing domain to OSPFv3
authentication transition mode. There will be no timing dependencies.
2. Convert routers to send at the authentication trailer in any
order.
Agree?
Thanks,
Acee
On 6/11/13 6:43 AM, "Acee Lindem" <acee.lindem@ericsson.com> wrote:
>Hi Marek,
>I've thought about it and this would be compatible with the rest of the
>draft. It would be useful if incremental deployment is a concern. I have
>no objection to adding this. Any other opinions?
>
>Thanks,
>Acee
>On Jun 11, 2013, at 9:26 AM, Marek Karasek (mkarasek) wrote:
>
>> Hi Acee,
>>
>> I support bis version as well.
>>
>> I have one more suggestion though for this paragraph:
>>
>> In support of uninterrupted deployment, an OSPFv3 router implementing
>> this specification MAY implement a transition mode where it includes
>> the Authentication Trailer in transmitted packets but does not verify
>> this information in received packets. This is provided as a
>> transition aid for networks in the process of migrating to the
>> authentication mechanism described in this specification.
>>
>>
>> Can it be explicitly added how to work with checksums in the transition
>>(or deployment) mode? I suggest adding:
>>
>> - For OSPFv3 packets to be transmitted in deployment mode, the OSPFv3
>>header checksum and LLS data block checksum is computed and written in
>>the packets.
>> - For packets received in deployment mode which include an OSPFv3
>>Authentication Trailer, OSPFv3 header checksum verification MUST be
>>omitted.
>> - For packets received in deployment mode which do not include an
>>OSPFv3 Authentication Trailer, OSPFv3 header checksum and LLS data block
>>checksum are verified.
>>
>>
>> Thanks marek
>>
>>
>> -----Original Message-----
>> From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of
>>Acee Lindem
>> Sent: Tuesday, June 11, 2013 1:35 PM
>> To: Michael Barnes (mjbarnes); ospf@ietf.org
>> Subject: Re: [OSPF] New Version Notification for
>>draft-acee-ospf-rfc6506bis-01.txt
>>
>> Thank Michael - Does anyone else support this work? I think it will
>>help ensure compatibility between implementations. I would have expected
>>at least those who submitted the corrected errata to support the draft.
>> Thanks,
>> Acee
>>
>> On 6/6/13 1:12 PM, "Michael Barnes" <mjbarnes@cisco.com> wrote:
>>
>>> I agree these are good changes. Acee, please move forward with this
>>>draft.
>>>
>>> Thanks,
>>> Michael
>>>
>>> On 05/09/2013 11:03 AM, Acee Lindem wrote:
>>>> There have been a couple errata filed on RFC 6505 (authors copied).
>>>> As a service to the OSPF community and in an effort to ensure
>>>> interoperable OSPFv3 authentication trailer implementations, I have
>>>> produced a BIS draft. The changes are listed in section 1.2:
>>>>
>>>> 1.2. Summary of Changes from RFC 6506
>>>>
>>>> This document includes the following changes from RFC 6506
>>>> [RFC6506]:
>>>>
>>>> 1. Sections 2.2 and 4.2 explicitly state the Link-Local Signalling
>>>> (LLS) block checksum calculation is omitted when an OSPFv3
>>>> authentication is used. The LLS block is included in the
>>>> authentication digest calculation and computation of a checksum
>>>> is unneccessary. Clarification of this issue was raised in an
>>>> errata.
>>>>
>>>> 2. Section 4.5 includes a correction to the key preparation to use
>>>> the protocol specific key (Ks) rather than the key (K) as the
>>>> initial key (Ko). This problem was also raised in an errata.
>>>>
>>>> 3. Section 4.5 also includes a discussion of the choice of key
>>>> length to be the hash length (L) rather than the block size
>>>>(B).
>>>> The discussion of this choice was included to clarify an issue
>>>> raised in a rejected errata.
>>>>
>>>> 4. Section 4.1 indicates that sequence number checking is
>>>>dependent
>>>> on OSPFv3 packet type in order to account for packet
>>>> prioritization as specified in [RFC4222]. This was an omission
>>>> from RFC 6506.
>>>>
>>>>
>>>> I would like to quickly move this to an OSPF WG document and begin
>>>> the review process. I'm now soliciting feedback on OSPF WG adoption.
>>>>
>>>> Thanks,
>>>> Acee
>>>>
>>>>
>>>> On May 9, 2013, at 1:43 PM, <internet-drafts@ietf.org>
>>>> wrote:
>>>>
>>>>>
>>>>> A new version of I-D, draft-acee-ospf-rfc6506bis-01.txt has been
>>>>> successfully submitted by Manav Bhatia and posted to the IETF
>>>>> repository.
>>>>>
>>>>> Filename: draft-acee-ospf-rfc6506bis
>>>>> Revision: 01
>>>>> Title: Supporting Authentication Trailer for OSPFv3
>>>>> Creation date: 2013-05-09
>>>>> Group: Individual Submission
>>>>> Number of pages: 25
>>>>> URL:
>>>>> http://www.ietf.org/internet-drafts/draft-acee-ospf-rfc6506bis-01.txt
>>>>> Status:
>>>>> http://datatracker.ietf.org/doc/draft-acee-ospf-rfc6506bis
>>>>> Htmlized:
>>>>> http://tools.ietf.org/html/draft-acee-ospf-rfc6506bis-01
>>>>> Diff:
>>>>> http://www.ietf.org/rfcdiff?url2=draft-acee-ospf-rfc6506bis-01
>>>>>
>>>>> Abstract:
>>>>> Currently, OSPF for IPv6 (OSPFv3) uses IPsec as the only mechanism
>>>>> for authenticating protocol packets. This behavior is different
>>>>> from
>>>>> authentication mechanisms present in other routing protocols
>>>>> (OSPFv2,
>>>>> Intermediate System to Intermediate System (IS-IS), RIP, and
>>>>>Routing
>>>>> Information Protocol Next Generation (RIPng)). In some
>>>>> environments,
>>>>> it has been found that IPsec is difficult to configure and maintain
>>>>> and thus cannot be used. This document defines an alternative
>>>>> mechanism to authenticate OSPFv3 protocol packets so that OSPFv3
>>>>> does
>>>>> not only depend upon IPsec for authentication. This document
>>>>> obsoletes RFC 6506.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> The IETF Secretariat
>>>>>
>>>>
>>>> _______________________________________________
>>>> OSPF mailing list
>>>> OSPF@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ospf
>>>>
>>> _______________________________________________
>>> OSPF mailing list
>>> OSPF@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ospf
>>
>> _______________________________________________
>> OSPF mailing list
>> OSPF@ietf.org
>> https://www.ietf.org/mailman/listinfo/ospf
>
>_______________________________________________
>OSPF mailing list
>OSPF@ietf.org
>https://www.ietf.org/mailman/listinfo/ospf
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem
- Re: [OSPF] New Version Notification for draft-ace… Michael Barnes
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem
- Re: [OSPF] New Version Notification for draft-ace… Marek Karasek (mkarasek)
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem
- Re: [OSPF] New Version Notification for draft-ace… Anton Smirnov
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem
- Re: [OSPF] New Version Notification for draft-ace… Marek Karasek (mkarasek)
- Re: [OSPF] New Version Notification for draft-ace… Acee Lindem