IETF Logo Mail Archive

Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review

Vishwas Manral <Vishwas@SINETT.COM> Mon, 10 January 2005 04:08 UTC

Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA00802 for <ospf-archive@LISTS.IETF.ORG>; Sun, 9 Jan 2005 23:08:53 -0500 (EST)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <19.00F3E8D3@cherry.ease.lsoft.com>; 9 Jan 2005 23:08:53 -0500
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.3) with spool id 52698062 for OSPF@PEACH.EASE.LSOFT.COM; Sun, 9 Jan 2005 23:08:52 -0500
Received: from 63.197.255.158 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0l) with TCP; Sun, 9 Jan 2005 23:08:52 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Thread-Topic: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
thread-index: AcT2gXRAoVKYcDZUSEKeUxrHKSX+CQASPhlA
Message-ID: <BB6D74C75CC76A419B6D6FA7C38317B259FCC6@sinett-sbs.SiNett.LAN>
Date: Sun, 09 Jan 2005 20:16:45 -0800
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Vishwas Manral <Vishwas@SINETT.COM>
Subject: Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: quoted-printable

Hi Acee,

I agree totally with your views. 

However examples where algorithms "support has been changed" are: - 

"
   Old   Old         New
   Req.  RFC(s)      Requirement  Algorithm (notes)
   ---   ------      -----------  ---------
   MUST  2406        SHOULD NOT   DES-CBC [RFC 2405] (1)
   MUST  2402 2406   MAY          HMAC-MD5-96 [RFC 2403]
   MUST  2402 2406   MUST         HMAC-SHA1-96 [RFC 2404]
"

Thanks,
Vishwas

-----Original Message-----
From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Acee
Lindem
Sent: Monday, January 10, 2005 12:49 AM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Re: draft-ietf-ospf-ospfv3-auth-06.txt Ready for IESG review

Mukesh, Vishwas,

Here is my take. The document should be written in such
a way that  it doesn't need to be updated every time the IPSec algorithm
de jour changes.

However, I also think the document should specify algorithms with the
caveat that they may be updated. IMHO, once an authentication/encrpytion
algorithm is deployed, it is unlikely to be withdrawn from support.
Hence,
if someone develops a stronger algorithm with lower computational 
requirements
and it becomes the recommended alogorithm, then implementations will
need
to support it in ADDITION to what they are currently supporting.

Is this possible? Any other opinions?

Thanks,
Acee


Mukesh Gupta wrote:

>Vishwas,
>
>Comments inline..
>
>  
>
>>VM> I do not think you talk about encryption at all when you 
>>talk about
>>AH. If you check the documents I have pointed to carefully, 
>>you will see
>>NULL Encryption is a special case of encryption when encryption is not
>>used.
>>    
>>
>
>Would it make more sense if we change the text "NULL encryption" 
>to "NULL encryption (for ESP) or no encryption (for AH)" ?
>
>  
>
>>Suresh> We are not a fan of DES either for obvious reasons.  But as we
>>wanted to start with the weakest algorithm, we started with DES.  We
>>wouldn't have to mention DES at all, had IETF/NIST 
>>suggested DES as "MUST NOT".
>>VM> I still don't see a reason why we should talk about DES at all.
>>    
>>
>
>I still don't understand why we can't use DES as an example of a weak
>encryption algorithm.  
>
>I would like to hear others' opnion about this ?  Acee?
>
>  
>
>>Suresh> Mukesh and I discussed this again and we agree that 
>>referring to
>>the IPsec algorithm draft should be the better way to go.  
>>VM> Also not for the authentication you have given the key length and
>>for Encryption you have not(so there is anyway a case of 
>>inconsistency).
>>    
>>
>
>Yeah but this will be fixed too if we didn't mention any algorithm
>and just pointed to the madatory to implement algos.  Right ?
>
>  
>
>>Suresh> What about the following:
>>"Replaying these type of packets can make the router spend some
>>resources.  Also when the OSPF adjacency is not FULL, replaying 
>>database description packets can cause disruption in forming the
>>adjacency."
>>VM> Its not just forming the adjacency Suresh but the link becoming
>>unusable for transit traffic (DoS). In my view you should 
>>just refer to
>>the vulnerabilities draft and probably put a sentence like the above.
>>    
>>
>
>We do refer to the vulnerabilities draft after the brief discussion
>of the replay vulnerabilities..  So are you ok with putting the
>text proposed above and then referring to the vulerabilities draft ?
>
>  
>
>>VM> You are right. However I think the aim of the draft is to specify
>>how we should use IPSec (guidelines) as well as specify the default
>>behavior(Maybe for all optional parameters we should specify this).
>>    
>>
>
>You are right.  The aim of this draft is to specify how OSPFv3 should
>use IPsec but I still fail to understand why we need to specify things
>that are not related or exposed to OSPF :(
>
>What exactly do you want to specify about ESN?  Do we want to say
>that there is no impact of the usage of ESN by the underlying IPsec
>implementation on OSPFv3 security because sequence numbers are ignored
>while manual keys are used ?
>
>Regards
>Mukesh
>
>  
>

v2.23.0 | Report a Bug | By Email