IETF Logo Mail Archive

Re: OSPF cryptographic authentication keying

Mukesh Gupta <mgupta@IPRG.NOKIA.COM> Fri, 16 August 2002 20:44 UTC

Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA00721 for <ospf-archive@LISTS.IETF.ORG>; Fri, 16 Aug 2002 16:44:13 -0400 (EDT)
Received: from walnut (209.119.0.61) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <11.006DAB3B@cherry.ease.lsoft.com>; Fri, 16 Aug 2002 16:45:26 -0400
Received: from DISCUSS.MICROSOFT.COM by DISCUSS.MICROSOFT.COM (LISTSERV-TCP/IP release 1.8e) with spool id 117364 for OSPF@DISCUSS.MICROSOFT.COM; Fri, 16 Aug 2002 16:45:25 -0400
Received: from 205.226.5.12 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0f) with TCP; Fri, 16 Aug 2002 16:45:25 -0400
Received: from darkstar.iprg.nokia.com (darkstar.iprg.nokia.com [205.226.5.69]) by mailhost.iprg.nokia.com (8.9.3/8.9.3-GLGS) with ESMTP id NAA24822 for <OSPF@DISCUSS.MICROSOFT.COM>; Fri, 16 Aug 2002 13:45:24 -0700 (PDT)
X-Delivered-For: <OSPF@DISCUSS.MICROSOFT.COM>
Received: (from root@localhost) by darkstar.iprg.nokia.com (8.11.0/8.11.0-DARKSTAR) id g7GKjO026214 for <OSPF@DISCUSS.MICROSOFT.COM>; Fri, 16 Aug 2002 13:45:24 -0700
X-mProtect: <200208162045> Nokia Silicon Valley Messaging Protection
Received: from UNKNOWN (172.19.69.81, claiming to be "iprg.nokia.com") by darkstar.iprg.nokia.com smtpdnPQUCo; Fri, 16 Aug 2002 13:45:22 PDT
X-Mailer: Mozilla 4.75 [en]C-CCK-MCD {Nokia} (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
References: <05F679A54DF3D51188100008C7919756D38AF4@ma07exm03.corp.isg.mot.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <3D5D6461.390D6CEF@iprg.nokia.com>
Date: Fri, 16 Aug 2002 13:45:21 -0700
Reply-To: Mailing List <OSPF@DISCUSS.MICROSOFT.COM>
Sender: Mailing List <OSPF@DISCUSS.MICROSOFT.COM>
From: Mukesh Gupta <mgupta@IPRG.NOKIA.COM>
Organization: Nokia
Subject: Re: OSPF cryptographic authentication keying
To: OSPF@DISCUSS.MICROSOFT.COM
Precedence: list
Content-Transfer-Encoding: 7bit

Hi Donald,

You are right that your question has absolutely nothing to do with OSPF.

It is really related to the security of generic configuration infrastructure of
vendors. Generally vendors have multiple interfaces to the systems. Talking
about our systems, we have CLI after accessing the system using direct console
access, normal telnet in a secure environment, SSH and web access with HTTP and
HTTPS.

regards
Mukesh

Eastlake III Donald-LDE008 wrote:

> Mukesh,
>
> Yes, I was talking about OSPFv2.
>
> Thanks for your response but, given that in today's world the shared key is
> usually set up "manually", what method is most commonly used? SSH or Secure
> Telnet to a Command Line Interface? SNMP? TLS to a web interface? Do routers
> usually have two or three ways it can be done?
>
> As I say, I realize this isn't strictly part of the OSPFv2 protocol but
> would appreciate any information people can provide.
>
> Thanks,
> Donald
>
> Date:    Tue, 13 Aug 2002 14:06:10 -0400
> From:    Eastlake III Donald-LDE008 <Donald.Eastlake@MOTOROLA.COM>
> Subject: OSPF cryptographic authentication keying
>
> Hi,
>
> I have a couple of questions about how keying is established for OSPF
> cryptographic authentication:
>
> First of all, which may be a stupid questions, I have the impression the
> keying is essentially on a pairwise basis, rather than a key being shared
> among all the entities in an area. Is that correct?
>
> Second, how are these keys normally established in today's operational
> world? I realize this is a bit outside of the scope of OSPF, but do people
> use manual entry, SNMP, some negotiation framework like ISAKMP, or what?
>
> Thanks,
> Donald
>
> Donald E. Eastlake 3rd, +1-508-851-8280 (voice), +1-508-851-8507 (fax)
> Motorola, MS: M2-450, 20 Cabot Boulevard, Mansfield, MA 02048 USA
>
> ------------------------------
>
> Date:    Tue, 13 Aug 2002 11:44:51 -0700
> From:    Mukesh Gupta <mgupta@IPRG.NOKIA.COM>
> Subject: Re: OSPF cryptographic authentication keying
>
> > I have a couple of questions about how keying is established for OSPF
> > cryptographic authentication:
>
> I am assuming that you are talking about OSPFv2.
>
> > First of all, which may be a stupid questions, I have the impression the
> > keying is essentially on a pairwise basis, rather than a key being shared
> > among all the entities in an area. Is that correct?
>
> To my knowledge, No. It is not correct. The keys are shared between all the
> entities in an area and they are not on a pairwise basis. Using pairwise
> keys
> in the multicast environment will not work.
>
> > Second, how are these keys normally established in today's operational
> > world? I realize this is a bit outside of the scope of OSPF, but do people
> > use manual entry, SNMP, some negotiation framework like ISAKMP, or what?
>
> I think, most of the implementations use manual entry. ISAKMP wouldn't be
> easy
> to use in the multicast environment OSPF uses. Key negotiation mechanisms
> for
> multicast are still being explored.
>
> regards
> Mukesh
>
> --
> ******************************************************************
> Work fascinates me. I can look at it for  hours !
> ******************************************************************
> Mukesh Gupta
> Phone: (650) 625-2264
> Cell : (650) 868-9111
> http://www.iprg.nokia.com/~mgupta
> ******************************************************************

--
******************************************************************
This Would Be Really Funny If It Weren't Happening To Me.
******************************************************************
Mukesh Gupta
Phone: (650) 625-2264
Cell : (650) 868-9111
http://www.iprg.nokia.com/~mgupta
******************************************************************

v2.35.0 | Report a Bug | By Email | System Status