IETF Logo Mail Archive

Re: [RPSEC] [Tsvwg] Authentication for OSPFv3

Brian Weis <bew@cisco.com> Wed, 01 October 2008 15:57 UTC

Return-Path: <rpsec-bounces@ietf.org>
X-Original-To: rpsec-archive@megatron.ietf.org
Delivered-To: ietfarch-rpsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D5103A6C68; Wed, 1 Oct 2008 08:57:12 -0700 (PDT)
X-Original-To: rpsec@core3.amsl.com
Delivered-To: rpsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F04593A691E; Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHnJR+F2MVGA; Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id DF7403A67E7; Tue, 30 Sep 2008 09:13:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,338,1220227200"; d="scan'208";a="84812259"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 30 Sep 2008 16:12:58 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m8UGCw40002981; Tue, 30 Sep 2008 09:12:58 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m8UGCv3B026482; Tue, 30 Sep 2008 16:12:58 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:58 -0700
Received: from [10.32.244.214] ([10.32.244.214]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:57 -0700
In-Reply-To: <20080929200231.3E5DD3F443@pecan.tislabs.com>
References: <20080929200231.3E5DD3F443@pecan.tislabs.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <174D7A1B-7E6F-4B98-94A8-8174803723E1@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Tue, 30 Sep 2008 09:14:41 -0700
To: Sandy Murphy <sandy@tislabs.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Sep 2008 16:12:57.0962 (UTC) FILETIME=[673694A0:01C92317]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3675; t=1222791178; x=1223655178; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[Tsvwg]=20[RPSEC]=20Authentication=20fo r=20OSPFv3 |Sender:=20; bh=KjgDb/hr33RoXazjjqvua8isYhWhUH5Kth/XJmjLj5c=; b=vOxaQOecIl33DdvKWNRYvZ0H9rrDVpjXmCTgGtPvSd/FkYUgPD0+fkALUc cILTFKR5kGsuJNbyo9+v8W8UFBeCkm1/a9QMi3TMHrHuhzCDa9F/uOdPREhK mQj65P1qYy;
Authentication-Results: sj-dkim-3; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Mailman-Approved-At: Wed, 01 Oct 2008 08:57:10 -0700
Cc: msec@ietf.org, tsvwg list IETF <tsvwg@ietf.org>, edward.jankiewicz@sri.com, ospf@ietf.org, "secdir@MIT.EDU" <secdir@mit.edu>, rpsec@ietf.org, David Ward <dward@cisco.com>, sidr@ietf.org, Ross Callon <rcallon@juniper.net>
Subject: Re: [RPSEC] [Tsvwg] Authentication for OSPFv3
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org

On Sep 29, 2008, at 1:02 PM, Sandy Murphy wrote:

>> What (if any) current initiatives are there that would support  
>> automated
>> key exchange for OSFPv3 authentication?
>
> You have msec on the list of recipients, which is where I (not an  
> active
> participant, mind you) think the answer lies.

I agree with Sandy.

> Both GDOI (RFC 3547) and
> GSAKMP (RFC 4535) are group key management protocols, which is what
> OSPFv3 needs.  Unfortunately, both assume the existence of a group
> controller that plays an important role in distributing keys.  In  
> other
> words, the very democratic all-are-equal many-to-many model of OSPF  
> might find it
> difficult to map to the envisioned group security architecture.  I
> suppose it might be possible to consider the Designated Router as the
> group controller, but as the DR is elected, that might be a  
> difficult fit.

There is an expired individual I-D that explores several options  
along these lines: <http://tools.ietf.org/html/draft-liu-ospfv3- 
automated-keying-req-01>. However, there isn't (in my opinion) an  
obvious way forward. We can allocate some time on the Minneapolis  
MSEC WG agenda on this topic if there's sufficient interest.

Brian

> Even if you solve the group key management problem for OSPFv3, you  
> still
> have the difficulty to doing anti-replay in a multicast environment.
> Manral presented a draft some years ago to the rpsec working group  
> about
> the crypto vulnerabilities of routing protocols, and concentrated for
> OSPFv3 on replay vulnerabilities.  Unfortunately, that did not go  
> anywhere.
>
> Just for fun, I'm adding the routing area ADs and the secdir on  
> this list.
> This is one of those cross-disciplinary concerns that has the right  
> people
> in several different wgs and areas.  The more the merrier, right?
>
> The one quibble I have is that the tsvwg probably has little to do  
> with this
> problem - the transport for OSPFv3 is IP, not TCP, and IP is not  
> the level
> of stuff their charter looks at.
>
> (And sorry for the late reply to your messages, I've been mulling  
> the options.)
>
> --Sandy
>
> ---------  In reply to ------------------------
>
> Date: Tue, 23 Sep 2008 17:52:07 -0400
> From: Ed Jankiewicz <edward.jankiewicz@sri.com>
> To: ospf@ietf.org, rpsec@ietf.org, sidr@ietf.org, msec@ietf.org,  
> tsvwg@ietf.org
> Subject: [RPSEC] Authentication for OSPFv3
>
> I am not an active follower of these lists but have a question.   
> Please
> reply off-list directly to ed.jankiewicz@sri.com or copy me if this
> triggers relevant discussion on your list.
>
> What (if any) current initiatives are there that would support  
> automated
> key exchange for OSFPv3 authentication?  RFC 4552 relies upon pre- 
> shared
> secret keys for generating message digest, but some of my constituents
> have issues with manual generation, distribution and configuration of
> keys in their IPv6 network deployment.  Is any of the current work on
> IKE revisions applicable, any work being done in your working  
> group, or
> do you know of any OSPF-specific solution being developed somewhere?
>
> Thanks.
>
> -- 
> Ed Jankiewicz - SRI International
> Fort Monmouth Branch Office - IPv6 Research
> Supporting DISA Standards Engineering Branch
> 732-389-1003 or  ed.jankiewicz@sri.com
>
> _______________________________________________
> RPSEC mailing list
> RPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/rpsec
>

-- 
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email