Re: [secdir] secdir review of draft-ietf-ospf-security-extension-manual-keying-09

"Acee Lindem (acee)" <acee@cisco.com> Mon, 03 November 2014 15:11 UTC

Return-Path: <acee@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 631AC1A038F; Mon, 3 Nov 2014 07:11:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.094
X-Spam-Level:
X-Spam-Status: No, score=-15.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZqc35r6Anqb; Mon, 3 Nov 2014 07:11:18 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A95921A036D; Mon, 3 Nov 2014 07:11:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8362; q=dns/txt; s=iport; t=1415027478; x=1416237078; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=zvlau6IGp7NhM1gjZQDnbK8ewHGWT95T85PRGy48+NU=; b=Khs/8Rzj8lM4+IdGjgwDsVCK1jkW/UpIPbNwmwn3A/MRBYMyiX+HrXoF RZSY2UUto0kRDfMw1elO5tdGeGzid8G9fKvcIi4oXbQ8Ph1BlWPYYLplx pPyZ8ai0l4gAjA5Y5pZr3voI/7gU92DUqpCPm0xmWT4GiwmmDlIcARWOu I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhYFAOGZV1StJV2U/2dsb2JhbABcgkhGVFgE1VMCgSEWAQEBAQF9hAIBAQEELVwCAQgRAwECKAchERQJCAEBBAESiCwDEsEwDYZAAQEBAQEBAQEBAQEBAQEBAQEBAQEBF45WgikYhEsFj3uCH4cSgkSCEYExjjCCZoQJg3hsAYFHgQMBAQE
X-IronPort-AV: E=Sophos; i="5.07,308,1413244800"; d="scan'208,217"; a="92855316"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-5.cisco.com with ESMTP; 03 Nov 2014 15:11:17 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id sA3FBGhZ031515 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 3 Nov 2014 15:11:16 GMT
Received: from xmb-aln-x06.cisco.com ([169.254.1.61]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.03.0195.001; Mon, 3 Nov 2014 09:11:16 -0600
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "Shaun Cooley (shcooley)" <shcooley@cisco.com>, "draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org" <draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: secdir review of draft-ietf-ospf-security-extension-manual-keying-09
Thread-Index: Ac/yQ6iTuz66jDyPQS6Q8po+ZqsLRAAApYcwAU6i6wA=
Date: Mon, 03 Nov 2014 15:11:15 +0000
Message-ID: <D07D0530.747F%acee@cisco.com>
References: <187A7B1DA239514F9146FC78B19AADE3502CD332@xmb-aln-x10.cisco.com> <187A7B1DA239514F9146FC78B19AADE3502CD38A@xmb-aln-x10.cisco.com>
In-Reply-To: <187A7B1DA239514F9146FC78B19AADE3502CD38A@xmb-aln-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.116.152.204]
Content-Type: multipart/alternative; boundary="_000_D07D0530747Faceeciscocom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Qu44hZFLjuCLxkYUQHeHWTbOolU
Subject: Re: [secdir] secdir review of draft-ietf-ospf-security-extension-manual-keying-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Nov 2014 15:11:28 -0000

Shaun,
Thanks for your review.
Acee

From: "Shaun Cooley (shcooley)" <shcooley@cisco.com<mailto:shcooley@cisco.com>>
Date: Monday, October 27, 2014 at 7:30 PM
To: "draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org<mailto:draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org>" <draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org<mailto:draft-ietf-ospf-security-extension-manual-keying.all@tools.ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, "iesg@ietf.org<mailto:iesg@ietf.org>" <iesg@ietf.org<mailto:iesg@ietf.org>>
Subject: secdir review of draft-ietf-ospf-security-extension-manual-keying-09
Resent-From: <draft-alias-bounces@tools.ietf.org<mailto:draft-alias-bounces@tools.ietf.org>>
Resent-To: Acee Lindem <acee@cisco.com<mailto:acee@cisco.com>>, Alia Atlas <akatlas@gmail.com<mailto:akatlas@gmail.com>>, <akr@cisco.com<mailto:akr@cisco.com>>, <hartmans@painless-security.com<mailto:hartmans@painless-security.com>>, Manav Bhatia <manav@ionosnetworks.com<mailto:manav@ionosnetworks.com>>, <zhangdacheng@huawei.com<mailto:zhangdacheng@huawei.com>>
Resent-Date: Monday, October 27, 2014 at 7:30 PM

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document addresses both inter-session and intra-session replay attacks when using manual keying for OSPFv2 by changing the sequence numbers to be 64-bit, with the most significant 32-bits being a boot count and the least significant 32-bits to be an increasing sequence number.  The document also changes the Apad constant to match the source address of the IP header in order to extend authenticated data to prevent source address spoofing.

The document was well written and I very much appreciated the redline style approach to the draft.

I consider this document ready for publication.

-Shaun