[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

 
Hannes,

I'm of the opinion that key rollover and algorithm rollover do not
require actual additional protocol specification and that transmitting
multiple TLVs is not necessary.  For any form of rollover to work, a
receiver must be prepared to accept multiple different combinations of
password and algorithm.  It does not seem like a substantial effort for
the receiver to try all of the possibilities that it is configured for.

Given this, one way to do smooth rollover is to go around and configure
all nodes with the new password and/or algorithm.  Once that's completed
and in production, then nodes can be set to transmit the new password
and/or algorithm.

While 802.11's WEP is hardly a good example of this for security
purposes, most implementations provide a fine example of how the UI for
this would work: one key is used for transmit, while a list of keys is
accepted.

Regards,
Tony

P.s. Yes, I'm well aware that implementations do not currently support
this behavior and will have to change.  Including Juniper's.  Sorry.
;-) 


> -----Original Message-----
> From: Hannes Gredler [mailto:hannes at juniper.net] 
> Sent: Wednesday, April 19, 2006 1:02 PM
> To: tony.li at tony.li
> Cc: 'Sofia Ray'; isis-wg at ietf.org
> Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> 
> furthermore, it would be also time to think about authentication-type
> migration support. i.e. discuss about authentication-type 
> [simple->md5->sha]
> and key rollover schemes and nail down the necessary behaviour
> (multiple instances of TLV #10).
> 
> the prevailing method for both authentication-type and key rollover
> (= disabling authentication check during the transition window)
> is not really smooth.
> 
> /hannes
> 
> Tony Li wrote:
> > Sofia,
> > 
> > While I know of no substantive risks to the use of MD5 
> today as used in
> > 3567, history suggests that someday, there will be.  Thus, 
> having other
> > algorithms available is only prudent and I strongly support 
> that goal.
> > 
> > Regards,
> > Tony
> > 
> > 
> >>-----Original Message-----
> >>From: Sofia Ray [mailto:sofia.ray at lycos.com] 
> >>Sent: Wednesday, April 19, 2006 11:04 AM
> >>To: isis-wg at ietf.org
> >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >>
> >>Manav,
> >>
> >>Whats wrong with the authentication scheme detailed in 3567?
> >>
> >>Yours,
> >>Sofia
> >>
> >>----- Original Message ----
> >>From: Manav Bhatia <manav_bhatia06 at yahoo.co.uk>
> >>To: isis-wg at ietf.org
> >>Sent: Wednesday, 19 April, 2006 8:30:00 AM
> >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >>
> >>
> >>Hi,
> >>
> >>We have written a draft on extending ISIS to use HMAC-SHA 
> >>authentication. Would appreciate if we can get some feedback 
> >>from the WG. The mechanism proposed in the draft is backward 
> >>compatible and would work with the existing ISIS implementations.
> >>
> >>Cheers,
> >>Manav
> >>
> >>----- Forwarded Message ----
> >>From: Internet-Drafts at ietf.org
> >>To: i-d-announce at ietf.org
> >>Sent: Wednesday, April 19, 2006 4:20:01 AM
> >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt
> >>
> >>A New Internet-Draft is available from the on-line 
> >>Internet-Drafts directories.
> >>
> >>    Title        : IS-IS HMAC SHA Cryptographic Authentication
> >>    Author(s)    : M. Bhatia, V. Manral
> >>    Filename    : draft-bhatia-manral-isis-hmac-sha-00.txt
> >>    Pages        : 8
> >>    Date        : 2006-4-18
> >>
> >>This document proposes an extension to IS-IS [ISO] [RFC1195] 
> >>to allow the use of HMAC SHA authentication algorithm in 
> >>addition to the already documented authentication schemes 
> >>described in the base specification and RFC 3567.
> >>
> >>A URL for this Internet-Draft is:
> >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h
> >>mac-sha-00.txt
> >>
> >>
> >>
> >>-- 
> >>_______________________________________________
> >>
> >>Search for businesses by name, location, or phone number.  
> >>-Lycos Yellow Pages
> >>
> >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
> >>om/default.asp?SRC=lycos10
> >>
> >>
> >>_______________________________________________
> >>Isis-wg mailing list
> >>Isis-wg at ietf.org
> >>https://www1.ietf.org/mailman/listinfo/isis-wg
> >>
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Isis-wg mailing list
> > Isis-wg at ietf.org
> > https://www1.ietf.org/mailman/listinfo/isis-wg
> 



_______________________________________________
Isis-wg mailing list
Isis-wg at ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg