RE: [Isis-wg] IS-IS HMAC SHA Cryptographic Authentication

["Tony Li" <tli at tropos.com>]

Hannes,

> There is a time window (until all routers have the new
> authentication key) where the routers holding the new key are
> using that key and other routers have not yet got the new key
> and hence nothing to verify against.
> 
>    so what you require is some form of coordination i.e.
>    to have all nodes hold off using the new transmit key
>    up until the network is fully transitioned
>    (i have seen implementations who achieve that with
>    time/date based transmit key-selection) -> this requires
>    some form of coordination (timestamp / key lifetime etc.)


Nothing more sophisticated than uniform configuration is required.  The
first configuration pass installs the new key and enables it for
reception.  The second configuration pass switches to using the new key
for transmission.  Those who want to be pedantic can include a third
pass to remove the old key.

Given the widespread deployment of homegrown tools for consistent,
distributed router configuration, I don't see this as a significant
hurdle.

Tony



_______________________________________________
Isis-wg mailing list
Isis-wg at ietf.org
https://www1.ietf.org/mailman/listinfo/isis-wg