RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

[mike shand <mshand at cisco.com>]

At 21:15 19/04/2006, Tony Li wrote:
> Hannes,
>
> I'm of the opinion that key rollover and algorithm rollover do not
> require actual additional protocol specification and that transmitting
> multiple TLVs is not necessary.  For any form of rollover to work, a
> receiver must be prepared to accept multiple different combinations of
> password and algorithm.  It does not seem like a substantial effort for
> the receiver to try all of the possibilities that it is configured for.

Absolutely. That was the way it was designed to work in the original 
form with non-cryptographic passwords (multiple receive passwords 
could be specified to allow migration), and I don't see why the same 
principle shouldn't apply to algorithm migration.

        Mike



> Given this, one way to do smooth rollover is to go around and configure
> all nodes with the new password and/or algorithm.  Once that's completed
> and in production, then nodes can be set to transmit the new password
> and/or algorithm.
>
> While 802.11's WEP is hardly a good example of this for security
> purposes, most implementations provide a fine example of how the UI for
> this would work: one key is used for transmit, while a list of keys is
> accepted.
>
> Regards,
> Tony
>
> P.s. Yes, I'm well aware that implementations do not currently support
> this behavior and will have to change.  Including Juniper's.  Sorry.
> ;-)
>
>
> > -----Original Message-----
> > From: Hannes Gredler [mailto:hannes at juniper.net]
> > Sent: Wednesday, April 19, 2006 1:02 PM
> > To: tony.li at tony.li
> > Cc: 'Sofia Ray'; isis-wg at ietf.org
> > Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> >
> > furthermore, it would be also time to think about authentication-type
> > migration support. i.e. discuss about authentication-type
> > [simple->md5->sha]
> > and key rollover schemes and nail down the necessary behaviour
> > (multiple instances of TLV #10).
> >
> > the prevailing method for both authentication-type and key rollover
> > (= disabling authentication check during the transition window)
> > is not really smooth.
> >
> > /hannes
> >
> > Tony Li wrote:
> > > Sofia,
> > >
> > > While I know of no substantive risks to the use of MD5
> > today as used in
> > > 3567, history suggests that someday, there will be.  Thus,
> > having other
> > > algorithms available is only prudent and I strongly support
> > that goal.
> > >
> > > Regards,
> > > Tony
> > >
> > >
> > >>-----Original Message-----
> > >>From: Sofia Ray [mailto:sofia.ray at lycos.com]
> > >>Sent: Wednesday, April 19, 2006 11:04 AM
> > >>To: isis-wg at ietf.org
> > >>Subject: Re: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> > >>
> > >>Manav,
> > >>
> > >>Whats wrong with the authentication scheme detailed in 3567?
> > >>
> > >>Yours,
> > >>Sofia
> > >>
> > >>----- Original Message ----
> > >>From: Manav Bhatia <manav_bhatia06 at yahoo.co.uk>
> > >>To: isis-wg at ietf.org
> > >>Sent: Wednesday, 19 April, 2006 8:30:00 AM
> > >>Subject: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication
> > >>
> > >>
> > >>Hi,
> > >>
> > >>We have written a draft on extending ISIS to use HMAC-SHA
> > >>authentication. Would appreciate if we can get some feedback
> > >>from the WG. The mechanism proposed in the draft is backward
> > >>compatible and would work with the existing ISIS implementations.
> > >>
> > >>Cheers,
> > >>Manav
> > >>
> > >>----- Forwarded Message ----
> > >>From: Internet-Drafts at ietf.org
> > >>To: i-d-announce at ietf.org
> > >>Sent: Wednesday, April 19, 2006 4:20:01 AM
> > >>Subject: I-D ACTION:draft-bhatia-manral-isis-hmac-sha-00.txt
> > >>
> > >>A New Internet-Draft is available from the on-line
> > >>Internet-Drafts directories.
> > >>
> > >>    Title        : IS-IS HMAC SHA Cryptographic Authentication
> > >>    Author(s)    : M. Bhatia, V. Manral
> > >>    Filename    : draft-bhatia-manral-isis-hmac-sha-00.txt
> > >>    Pages        : 8
> > >>    Date        : 2006-4-18
> > >>
> > >>This document proposes an extension to IS-IS [ISO] [RFC1195]
> > >>to allow the use of HMAC SHA authentication algorithm in
> > >>addition to the already documented authentication schemes
> > >>described in the base specification and RFC 3567.
> > >>
> > >>A URL for this Internet-Draft is:
> > >>http://www.ietf.org/internet-drafts/draft-bhatia-manral-isis-h
> > >>mac-sha-00.txt
> > >>
> > >>
> > >>
> > >>--
> > >>_______________________________________________
> > >>
> > >>Search for businesses by name, location, or phone number.
> > >>-Lycos Yellow Pages
> > >>
> > >>http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
> > >>om/default.asp?SRC=lycos10
> > >>
> > >>
> > >>_______________________________________________
> > >>Isis-wg mailing list
> > >>Isis-wg at ietf.org
> > >>https://www1.ietf.org/mailman/listinfo/isis-wg
> > >>
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Isis-wg mailing list
> > > Isis-wg at ietf.org
> > > https://www1.ietf.org/mailman/listinfo/isis-wg
> >
>
>
>
> _______________________________________________
> Isis-wg mailing list
> Isis-wg at ietf.org
> https://www1.ietf.org/mailman/listinfo/isis-wg

_______________________________________________
Isis-wg mailing list
Isis-wg at ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg