Re: Clarification of when authentication is used

Fred Baker <fbaker@acc.com> Tue, 02 August 1994 21:47 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa14417; 2 Aug 94 17:47 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa14413; 2 Aug 94 17:47 EDT
Received: from atlas.xylogics.com by CNRI.Reston.VA.US id aa17846; 2 Aug 94 17:47 EDT
Received: by atlas.xylogics.com id AA21484 (5.65c/UK-2.1-940401); Tue, 2 Aug 1994 17:47:48 -0400
Received: from fennel.acc.com by atlas.xylogics.com with SMTP id AA18984 (5.65c/UK-2.1-940401); Tue, 2 Aug 1994 17:47:28 -0400
Received: from by fennel.acc.com (4.1/SMI-4.1) id AB00429; Tue, 2 Aug 94 14:44:39 PDT
Message-Id: <9408022144.AB00429@fennel.acc.com>
X-Sender: fbaker@129.192.64.25
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 2 Aug 1994 14:44:43 -0800
To: Gary Scott Malkin <gmalkin@xylogics.com>
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Fred Baker <fbaker@acc.com>
Subject: Re: Clarification of when authentication is used
Cc: ietf-rip@xylogics.com, jch@nr-tech.cit.cornell.edu

At  4:27 PM 8/2/94 -0400, Gary Scott Malkin wrote:
>> My implementation of RIP assumed that both RIP REQUESTs and RESPONSEs
>> would need to be authenticated.  With the MD5 work it only seems to
>> make sense to authenticate RESPONSEs.
>
>That is how my implementation works also.  As you said, one needs to
>prevent the clear-text password from escaping in a query.  For the
>MD5, we could go either way.
>
>Fred, does OSPF handle this?  We should do it the same way.  The
>clarification need only be in the MD5 extension document though; I
>don't think we need to reopen the RIP-2 I-D now.

OSPF is a little different story. In RIP, responses convey information,
responses are used by network management to ask for a "get bulk" of the
route table or to trigger request an update from a neighbor.

If the issue was only triggering requests for updates, then Jeff's first
shot would have been right - authenticate them both. It's the network
management application that breaks.

In OSPF, the messages are used entirely for maintaining relationshiips
between routers or handling routing information. Network management is
handled via some other mechanism. I think the parallel breaks down.

I dunno, I would agree with Jeff's assessment: it is information exchange
we are authenticating, we shouldn't break the management applications that
use RIP Requests to dump route tables. Having said which, seems like the
same logic applies to passwords.

=============================================================================
                        "In sound wisdom there are two sides"
                                        Zophar, Job 11:6