Re: Clarification of when authentication is used

[Fred Baker <fbaker@acc.com>]

At  4:27 PM 8/2/94 -0400, Gary Scott Malkin wrote:
>> My implementation of RIP assumed that both RIP REQUESTs and RESPONSEs
>> would need to be authenticated.  With the MD5 work it only seems to
>> make sense to authenticate RESPONSEs.
>
>That is how my implementation works also.  As you said, one needs to
>prevent the clear-text password from escaping in a query.  For the
>MD5, we could go either way.
>
>Fred, does OSPF handle this?  We should do it the same way.  The
>clarification need only be in the MD5 extension document though; I
>don't think we need to reopen the RIP-2 I-D now.

OSPF is a little different story. In RIP, responses convey information,
responses are used by network management to ask for a "get bulk" of the
route table or to trigger request an update from a neighbor.

If the issue was only triggering requests for updates, then Jeff's first
shot would have been right - authenticate them both. It's the network
management application that breaks.

In OSPF, the messages are used entirely for maintaining relationshiips
between routers or handling routing information. Network management is
handled via some other mechanism. I think the parallel breaks down.

I dunno, I would agree with Jeff's assessment: it is information exchange
we are authenticating, we shouldn't break the management applications that
use RIP Requests to dump route tables. Having said which, seems like the
same logic applies to passwords.

=============================================================================
                        "In sound wisdom there are two sides"
                                        Zophar, Job 11:6