Re: [RPSEC] [Tsvwg] Authentication for OSPFv3
Brian Weis <bew@cisco.com> Wed, 01 October 2008 15:57 UTC
Return-Path: <rpsec-bounces@ietf.org>
X-Original-To: rpsec-archive@megatron.ietf.org
Delivered-To: ietfarch-rpsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D5103A6C68; Wed, 1 Oct 2008 08:57:12 -0700 (PDT)
X-Original-To: rpsec@core3.amsl.com
Delivered-To: rpsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F04593A691E; Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHnJR+F2MVGA; Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id DF7403A67E7; Tue, 30 Sep 2008 09:13:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,338,1220227200"; d="scan'208";a="84812259"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 30 Sep 2008 16:12:58 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m8UGCw40002981; Tue, 30 Sep 2008 09:12:58 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m8UGCv3B026482; Tue, 30 Sep 2008 16:12:58 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:58 -0700
Received: from [10.32.244.214] ([10.32.244.214]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:57 -0700
In-Reply-To: <20080929200231.3E5DD3F443@pecan.tislabs.com>
References: <20080929200231.3E5DD3F443@pecan.tislabs.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <174D7A1B-7E6F-4B98-94A8-8174803723E1@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Tue, 30 Sep 2008 09:14:41 -0700
To: Sandy Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Sep 2008 16:12:57.0962 (UTC) FILETIME=[673694A0:01C92317]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3675; t=1222791178; x=1223655178; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[Tsvwg]=20[RPSEC]=20Authentication=20fo r=20OSPFv3 |Sender:=20; bh=KjgDb/hr33RoXazjjqvua8isYhWhUH5Kth/XJmjLj5c=; b=vOxaQOecIl33DdvKWNRYvZ0H9rrDVpjXmCTgGtPvSd/FkYUgPD0+fkALUc cILTFKR5kGsuJNbyo9+v8W8UFBeCkm1/a9QMi3TMHrHuhzCDa9F/uOdPREhK mQj65P1qYy;
Authentication-Results: sj-dkim-3; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Mailman-Approved-At: Wed, 01 Oct 2008 08:57:10 -0700
Cc: msec@ietf.org, tsvwg list IETF <tsvwg@ietf.org>, edward.jankiewicz@sri.com, ospf@ietf.org, "secdir@MIT.EDU" <secdir@mit.edu>, rpsec@ietf.org, David Ward <dward@cisco.com>, sidr@ietf.org, Ross Callon <rcallon@juniper.net>
Subject: Re: [RPSEC] [Tsvwg] Authentication for OSPFv3
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org
On Sep 29, 2008, at 1:02 PM, Sandy Murphy wrote: >> What (if any) current initiatives are there that would support >> automated >> key exchange for OSFPv3 authentication? > > You have msec on the list of recipients, which is where I (not an > active > participant, mind you) think the answer lies. I agree with Sandy. > Both GDOI (RFC 3547) and > GSAKMP (RFC 4535) are group key management protocols, which is what > OSPFv3 needs. Unfortunately, both assume the existence of a group > controller that plays an important role in distributing keys. In > other > words, the very democratic all-are-equal many-to-many model of OSPF > might find it > difficult to map to the envisioned group security architecture. I > suppose it might be possible to consider the Designated Router as the > group controller, but as the DR is elected, that might be a > difficult fit. There is an expired individual I-D that explores several options along these lines: <http://tools.ietf.org/html/draft-liu-ospfv3- automated-keying-req-01>. However, there isn't (in my opinion) an obvious way forward. We can allocate some time on the Minneapolis MSEC WG agenda on this topic if there's sufficient interest. Brian > Even if you solve the group key management problem for OSPFv3, you > still > have the difficulty to doing anti-replay in a multicast environment. > Manral presented a draft some years ago to the rpsec working group > about > the crypto vulnerabilities of routing protocols, and concentrated for > OSPFv3 on replay vulnerabilities. Unfortunately, that did not go > anywhere. > > Just for fun, I'm adding the routing area ADs and the secdir on > this list. > This is one of those cross-disciplinary concerns that has the right > people > in several different wgs and areas. The more the merrier, right? > > The one quibble I have is that the tsvwg probably has little to do > with this > problem - the transport for OSPFv3 is IP, not TCP, and IP is not > the level > of stuff their charter looks at. > > (And sorry for the late reply to your messages, I've been mulling > the options.) > > --Sandy > > --------- In reply to ------------------------ > > Date: Tue, 23 Sep 2008 17:52:07 -0400 > From: Ed Jankiewicz <edward.jankiewicz@sri.com> > To: ospf@ietf.org, rpsec@ietf.org, sidr@ietf.org, msec@ietf.org, > tsvwg@ietf.org > Subject: [RPSEC] Authentication for OSPFv3 > > I am not an active follower of these lists but have a question. > Please > reply off-list directly to ed.jankiewicz@sri.com or copy me if this > triggers relevant discussion on your list. > > What (if any) current initiatives are there that would support > automated > key exchange for OSFPv3 authentication? RFC 4552 relies upon pre- > shared > secret keys for generating message digest, but some of my constituents > have issues with manual generation, distribution and configuration of > keys in their IPv6 network deployment. Is any of the current work on > IKE revisions applicable, any work being done in your working > group, or > do you know of any OSPF-specific solution being developed somewhere? > > Thanks. > > -- > Ed Jankiewicz - SRI International > Fort Monmouth Branch Office - IPv6 Research > Supporting DISA Standards Engineering Branch > 732-389-1003 or ed.jankiewicz@sri.com > > _______________________________________________ > RPSEC mailing list > RPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/rpsec > -- Brian Weis Router/Switch Security Group, ARTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Authentication for OSPFv3 Ed Jankiewicz
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… David Ward
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Vishwas Manral
- Re: [RPSEC] Authentication for OSPFv3 Sandy Murphy
- Re: [RPSEC] [sidr] Authentication for OSPFv3 Vishwas Manral
- Re: [RPSEC] [secdir] [sidr] Authentication for OS… Sam Hartman
- Re: [RPSEC] [secdir] [sidr] Authentication for OS… Vishwas Manral
- Re: [RPSEC] [sidr] Authentication for OSPFv3 David Ward
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Acee Lindem
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Vishwas Manral
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Sam Hartman
- Re: [RPSEC] [Tsvwg] Authentication for OSPFv3 Brian Weis
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Sandy Murphy
- Re: [RPSEC] [OSPF] [sidr] Authentication for OSPF… Sandy Murphy
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Stephen Kent
- Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication… Steven M. Bellovin