IETF Logo Mail Archive

Re: [RPSEC] [sidr] Authentication for OSPFv3

"Vishwas Manral" <vishwas.ietf@gmail.com> Wed, 01 October 2008 15:57 UTC

Return-Path: <rpsec-bounces@ietf.org>
X-Original-To: rpsec-archive@megatron.ietf.org
Delivered-To: ietfarch-rpsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 137643A6C12; Wed, 1 Oct 2008 08:57:11 -0700 (PDT)
X-Original-To: rpsec@core3.amsl.com
Delivered-To: rpsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B42413A6BAC for <rpsec@core3.amsl.com>; Mon, 29 Sep 2008 18:53:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, J_CHICKENPOX_48=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjJE+MdRwUiy for <rpsec@core3.amsl.com>; Mon, 29 Sep 2008 18:53:28 -0700 (PDT)
Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.187]) by core3.amsl.com (Postfix) with ESMTP id 276803A6BA9 for <rpsec@ietf.org>; Mon, 29 Sep 2008 18:53:28 -0700 (PDT)
Received: by fk-out-0910.google.com with SMTP id 18so2303217fkq.5 for <rpsec@ietf.org>; Mon, 29 Sep 2008 18:53:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=EumIcmMH2k3Kawxal4Vz3xQUHRpPzI+dO4G5WzZHQNc=; b=VbQAfVgH1WpBqWq98fBh5UtizgzjDvZ+P/sqxZqA6BlAFx517PjgfnrEuWEkdjAxcA 8BlplZ/VnZh2o/xoCFVG3lRmVtu8Xy1K2VVzMf64GLG7N3W17QWAyezOueelykk7IcGy arSQa70qQhK7y+Tho/Bptw25eiFq2mwAHyK2k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=mBxoixBJUq96RVtM74TrmrlYWEQ8FBMX2wvPHF6cXTmm4zo8gn0CuOOeHZLNMLvN7c 3Ehfq8suzxePcRcmtQcLkY5p85FA6QRYhLQlRA5gyd22s7RNAnHcfYf0W2irQ+yCT3/V j9lekQuWlbIDGPrYCSMY80ZDpLMmv8CN1xhas=
Received: by 10.181.6.5 with SMTP id j5mr2647009bki.34.1222739604886; Mon, 29 Sep 2008 18:53:24 -0700 (PDT)
Received: by 10.180.226.2 with HTTP; Mon, 29 Sep 2008 18:53:24 -0700 (PDT)
Message-ID: <77ead0ec0809291853t63940339xc826b13cf5515176@mail.gmail.com>
Date: Tue, 30 Sep 2008 07:23:24 +0530
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Sandy Murphy <sandy@tislabs.com>
In-Reply-To: <20080929200231.3E5DD3F443@pecan.tislabs.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <48D96507.4000207@sri.com> <20080929200231.3E5DD3F443@pecan.tislabs.com>
X-Mailman-Approved-At: Wed, 01 Oct 2008 08:57:10 -0700
Cc: msec@ietf.org, tsvwg@ietf.org, edward.jankiewicz@sri.com, ospf@ietf.org, secdir@mit.edu, rpsec@ietf.org, dward@cisco.com, sidr@ietf.org, rcallon@juniper.net
Subject: Re: [RPSEC] [sidr] Authentication for OSPFv3
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org

Hi Sandy,

Thanks for refering to my draft in your mail. The same was presented
by Dave (Ward) in the last IETF. Regarding the state of the draft,
because the RPSEC is closing down, we have been trying to find a home
for the draft.

We can also solve the problem similarly by something like
BTNS(ofcourse Multicast part needs to be thought further) which does
not necessarily require any certificate verification - so we may have
unauthenticated IKE SA's but then all keys for the CHILD_SA from there
are automatically generated.

Thanks,
Vishwas

On 9/30/08, Sandy Murphy <sandy@tislabs.com> wrote:
>>What (if any) current initiatives are there that would support automated
>>key exchange for OSFPv3 authentication?
>
> You have msec on the list of recipients, which is where I (not an active
> participant, mind you) think the answer lies.  Both GDOI (RFC 3547) and
> GSAKMP (RFC 4535) are group key management protocols, which is what
> OSPFv3 needs.  Unfortunately, both assume the existence of a group
> controller that plays an important role in distributing keys.  In other
> words, the very democratic all-are-equal many-to-many model of OSPF might
> find it
> difficult to map to the envisioned group security architecture.  I
> suppose it might be possible to consider the Designated Router as the
> group controller, but as the DR is elected, that might be a difficult fit.
>
> Even if you solve the group key management problem for OSPFv3, you still
> have the difficulty to doing anti-replay in a multicast environment.
> Manral presented a draft some years ago to the rpsec working group about
> the crypto vulnerabilities of routing protocols, and concentrated for
> OSPFv3 on replay vulnerabilities.  Unfortunately, that did not go anywhere.
>
> Just for fun, I'm adding the routing area ADs and the secdir on this list.
> This is one of those cross-disciplinary concerns that has the right people
> in several different wgs and areas.  The more the merrier, right?
>
> The one quibble I have is that the tsvwg probably has little to do with this
> problem - the transport for OSPFv3 is IP, not TCP, and IP is not the level
> of stuff their charter looks at.
>
> (And sorry for the late reply to your messages, I've been mulling the
> options.)
>
> --Sandy
>
> ---------  In reply to ------------------------
>
> Date: Tue, 23 Sep 2008 17:52:07 -0400
> From: Ed Jankiewicz <edward.jankiewicz@sri.com>
> To: ospf@ietf.org, rpsec@ietf.org, sidr@ietf.org, msec@ietf.org,
> tsvwg@ietf.org
> Subject: [RPSEC] Authentication for OSPFv3
>
> I am not an active follower of these lists but have a question.  Please
> reply off-list directly to ed.jankiewicz@sri.com or copy me if this
> triggers relevant discussion on your list.
>
> What (if any) current initiatives are there that would support automated
> key exchange for OSFPv3 authentication?  RFC 4552 relies upon pre-shared
> secret keys for generating message digest, but some of my constituents
> have issues with manual generation, distribution and configuration of
> keys in their IPv6 network deployment.  Is any of the current work on
> IKE revisions applicable, any work being done in your working group, or
> do you know of any OSPF-specific solution being developed somewhere?
>
> Thanks.
>
> --
> Ed Jankiewicz - SRI International
> Fort Monmouth Branch Office - IPv6 Research
> Supporting DISA Standards Engineering Branch
> 732-389-1003 or  ed.jankiewicz@sri.com
>
> _______________________________________________
> RPSEC mailing list
> RPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/rpsec
>
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email