Re: [RPSEC] [OSPF] [sidr] Authentication for OSPFv3

David Ward <dward@cisco.com> Tue, 30 September 2008 15:44 UTC

Return-Path: <rpsec-bounces@ietf.org>
X-Original-To: rpsec-archive@megatron.ietf.org
Delivered-To: ietfarch-rpsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5712828C155; Tue, 30 Sep 2008 08:44:27 -0700 (PDT)
X-Original-To: rpsec@core3.amsl.com
Delivered-To: rpsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B42428C150 for <rpsec@core3.amsl.com>; Tue, 30 Sep 2008 08:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.239
X-Spam-Level:
X-Spam-Status: No, score=-6.239 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qugq02-26UYM for <rpsec@core3.amsl.com>; Tue, 30 Sep 2008 08:44:24 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 4CD7828C0F0 for <rpsec@ietf.org>; Tue, 30 Sep 2008 08:44:24 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,338,1220227200"; d="scan'208";a="22725606"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-2.cisco.com with ESMTP; 30 Sep 2008 15:44:45 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m8UFijoV021216; Tue, 30 Sep 2008 11:44:45 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m8UFijMu024503; Tue, 30 Sep 2008 15:44:45 GMT
Received: from xmb-rtp-202.amer.cisco.com ([64.102.31.52]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 11:44:45 -0400
Received: from [127.0.0.1] ([171.68.225.134]) by xmb-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 11:44:44 -0400
In-Reply-To: <77ead0ec0809300842i200798d5ic45f7996a19d57d@mail.gmail.com>
References: <48D96507.4000207@sri.com> <20080929200231.3E5DD3F443@pecan.tislabs.com> <77ead0ec0809291853t63940339xc826b13cf5515176@mail.gmail.com> <C50382B8-74EB-4157-9043-56CB1D3F8594@cisco.com> <BAD965BE-053F-4296-B0F7-CF0F2C9C0779@redback.com> <77ead0ec0809300842i200798d5ic45f7996a19d57d@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <967D7B12-0CDC-4474-AEFE-A7F08B19B68C@cisco.com>
From: David Ward <dward@cisco.com>
Date: Tue, 30 Sep 2008 10:44:39 -0500
To: Vishwas Manral <vishwas.ietf@gmail.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Sep 2008 15:44:44.0804 (UTC) FILETIME=[76032C40:01C92313]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2225; t=1222789485; x=1223653485; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dward@cisco.com; z=From:=20David=20Ward=20<dward@cisco.com> |Subject:=20Re=3A=20[OSPF]=20[sidr]=20[RPSEC]=20Authenticat ion=20for=20OSPFv3 |Sender:=20 |To:=20=22Vishwas=20Manral=22=20<vishwas.ietf@gmail.com>; bh=wv7meoVmrF3VemWkcW+4ULkx30AFuOBSVju/BTbb8QM=; b=jOmYV2ketxfhzbTfJTIx31Rm1ceBSAANQGplQUCcCOuxJK5cLVHqP9hqkE RGxsq+ucI4Fb8Nux5FmHUTslg6kjxz7pJrr5s3KVX6lPrRdHkX++DRfnnxrG D4m5MIc3x3;
Authentication-Results: rtp-dkim-2; header.From=dward@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: Ross Callon <rcallon@juniper.net>, rpsec@ietf.org, David Ward <dward@cisco.com>, Acee Lindem <acee@redback.com>
Subject: Re: [RPSEC] [OSPF] [sidr] Authentication for OSPFv3
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: rpsec-bounces@ietf.org
Errors-To: rpsec-bounces@ietf.org

Reducing the list a bit ... You now need to ask the WG chairs if  
there was consensus to accept the doc.

-DWard



On Sep 30, 2008, at 10:42 AM, Vishwas Manral wrote:

> Hi Acee,
>
> I agree to what you say and the general sense of the room in the  
> KMART BOF.
> That is the reason I proposed a BTNS based solution. Which uses GTSM
> in the IKe to do the first level security.
>
> Also as IGP run within an administrative domain we can actually do
> without third party verification.
>
> Hi Dave,
>
> Thanks for your help and shepherding as always.
>
> The issue about adopting the draft was raised in the OPSEC WG by the
> chair Joel, however we only had a handful of mails saying the draft
> was within the scope (though none were opposed to it).
>
> Thanks,
> Vishwas
>
>
> On 9/30/08, Acee Lindem <acee@redback.com> wrote:
>> One thing to take into consideration is that the outcome of our KMART
>> BOF was that nobody deploying networks wanted routing infra-structure
>> based on a third-part verified certificates.
>> Thanks,
>> Acee
>> On Sep 30, 2008, at 10:57 AM, David Ward wrote:
>>
>>> Directions are to send your draft to opsec WG. To get it on their
>>> charter, you have to request the doc to become a WG item and then
>>> discussion will follow
>>>
>>> -DWard
>>>
>>> On Sep 29, 2008, at 8:53 PM, Vishwas Manral wrote:
>>>
>>>> Hi Sandy,
>>>>
>>>> Thanks for refering to my draft in your mail. The same was  
>>>> presented
>>>> by Dave (Ward) in the last IETF. Regarding the state of the draft,
>>>> because the RPSEC is closing down, we have been trying to find a  
>>>> home
>>>> for the draft.
>>>>
>>>> We can also solve the problem similarly by something like
>>>> BTNS(ofcourse Multicast part needs to be thought further) which  
>>>> does
>>>> not necessarily require any certificate verification - so we may  
>>>> have
>>>> unauthenticated IKE SA's but then all keys for the CHILD_SA from
>>>> there
>>>> are automatically generated.
>>>>
>>>> Thanks,
>>>> Vishwas
>>>>
>>>>
>>> _______________________________________________
>>> OSPF mailing list
>>> OSPF@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ospf
>>
>>

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/rpsec