[prev in list] [next in list] [prev in thread] [next in thread]
List: ms-ospf
Subject: Re: [OSPF] Security Extension for OSPFv2 when using Manual Key Management
From: "Acee Lindem (acee)" <acee () cisco ! com>
Date: 2014-11-07 23:46:28
Message-ID: 897DC8BA-5120-4A72-AFA0-B7DF5955F2F1 () cisco ! com
[Download RAW message or body]
Hi Uma, =
On Nov 7, 2014, at 6:26 PM, Uma Chunduri <uma.chunduri@ericsson.com> wrote:
> Hi Acee,
> =
> Don't know about any incompatibilities in deployed implementations...
> But this is a good change and as you said, it is compatible to 7166.
Thanks for the endorsement. =
> =
> --
> Uma C.
> =
> PS:
> =
> Though off topic (and not specific to OSPF too), but lot of RPs are stuc=
k to this SHA/apad stuff =
> but ideally algorithms and their details SHOULD be totally agnostic to =
the protocols.
I think this would have been possible. However, we=92ve already have gone i=
n this direction. =
Thanks,
Acee
> =
> -----Original Message-----
> From: OSPF [mailto:ospf-bounces@ietf.org] On Behalf Of Acee Lindem (acee)
> Sent: Friday, November 07, 2014 12:50 PM
> To: OSPF WG List
> Subject: Re: [OSPF] Security Extension for OSPFv2 when using Manual Key M=
anagement
> =
> I guess everyone agree with this draft change?
> Thanks,
> Acee =
> =
> On 11/3/14, 12:57 PM, "Acee Lindem (acee)" <acee@cisco.com> wrote:
> =
>> Are there any implementations of this draft? There is, what I consider, =
>> a mistake in the source address protection. I=B9d like to make it =
>> consistent with RFC 7166. Rather than repeating the IP Source Address =
>> (L/4) times in Apad, it is included once the same as is done with the =
>> IPv6 address in RFC 7166. Does this cause anyone any incompatibilities =
>> with deployed implementations?
>> =
>> OLD:
>> OSPF routers sending OSPF packets must initialize Apad to the value
>> of the IP source address that would be used when sending an OSPFv2
>> packet, repeated L/4 times, where L is the length of the hash,
>> measured in octets. The basic idea is to incorporate the IP source
>> address from the IP header in the cryptographic authentication
>> computation so that any change of IP source address in a replayed
>> packet can be detected.
>> =
>> NEW:
>> OSPF routers sending OSPF packets must initialize the first 4 octets
>> of Apad to the value of the IP source address that would be used when
>> sending the OSPFv2 packet. The remainder of Apad will contain
>> the value of 0x878FE1F3 repeated (L - 4)/4 times, where L is the
>> length of the hash, measured in octets. The basic idea is to
>> incorporate the IP source address from the IP header in the
>> cryptographic authentication computation so that any change of IP
>> source address in a replayed packet can be detected.
>> =
>> Thanks,
>> =
>> Acee
>> =
> =
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf
_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www.ietf.org/mailman/listinfo/ospf
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic