[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MSEC] [Fwd: re: my message to msec rejected]

To: msec at ietf.org
Subject: [MSEC] [Fwd: re: my message to msec rejected]
From: Lakshminath Dondeti <ldondeti at qualcomm.com>
Date: Mon, 29 Sep 2008 15:14:11 -0700
Delivered-to: ietfarch-msec-web-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=ldondeti at qualcomm.com; q=dns/txt; s=qcdkim; t=1222726453; x=1254262453; h=message-id:date:from:user-agent:mime-version:to:subject: content-type:content-transfer-encoding:x-ironport-av; z=Message-ID:=20<48E15333.8020306 at qualcomm.com>|Date:=20Mo n,=2029=20Sep=202008=2015:14:11=20-0700|From:=20Lakshmina th=20Dondeti=20<ldondeti at qualcomm.com>|User-Agent:=20Thun derbird=202.0.0.17=20(Windows/20080914)|MIME-Version:=201 .0|To:=20msec at ietf.org|Subject:=20[Fwd:=20re:=20my=20mess age=20to=20msec=20rejected]|Content-Type:=20text/plain=3B =20charset=3DISO-8859-15=3B=20format=3Dflowed |Content-Transfer-Encoding:=207bit|X-IronPort-AV:=20E=3DM cAfee=3Bi=3D"5200,2160,5394"=3B=20a=3D"9296723"; bh=0uNuoZN3uebbvsmH0iplxeXFu2cTrXXBIVM9+jXeAjs=; b=q3EbGX1B6uXC9qzSCZY3x9dIaqKW+e4KgZ7x5IG+bh1vjJjzq72wzL5L lsukdGGPIMQKETXDGEzcvdeoGguRWHV+fgEIetttdhOcuy6Pf/TUkPvUw hGZ7qdxF75IU+wCmRMx471uCp5onrbGxbyb5qO+Pit1xFwg0RAqWSaae2 Y=;
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
Sender: msec-bounces at ietf.org
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

-------- Original Message --------
Subject: re: my message to msec rejected
Date: Mon, 29 Sep 2008 16:23:39 -0400 (EDT)
From: sandy at tislabs.com (Sandy Murphy)
To: msec-owner at ietf.org
CC: sandy at tislabs.com

I replied to Ed JanEd Jankiewicz's message that he posted to sidr,
rpsec, msec and tsvwg.  It bounced from rpsec (it thinks I'm not a member!),

from sidr (too many recipients) from tsvwg (I really am not a member,there),

and msec (not allowed to post).

Anything you can do about the msec copy of the message?

Here's my rejection notice from the msec group.

--Sandy

From msec-bounces at ietf.org  Mon Sep 29 16:03:33 2008

Subject: Re: [RPSEC] Authentication for OSPFv3
From: msec-owner at ietf.org
To: sandy at tislabs.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1151216042=="
Date: Mon, 29 Sep 2008 13:05:02 -0700
Precedence: bulk
Sender: msec-bounces at ietf.org
Errors-To: msec-bounces at ietf.org

--===============1151216042==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

You are not allowed to post to this mailing list, and your message has
been automatically rejected.  If you think that your messages are
being rejected in error, contact the mailing list owner at
msec-owner at ietf.org.


--===============1151216042==
Content-Type: message/rfc822
MIME-Version: 1.0

Return-Path: <sandy at tislabs.com>
X-Original-To: msec at core3.amsl.com
Delivered-To: msec at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 6676F3A67F6;
	Mon, 29 Sep 2008 13:05:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5
	tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UL3gS8mK-8WI; Mon, 29 Sep 2008 13:05:00 -0700 (PDT)
Received: from nutshell.tislabs.com (nutshell.tislabs.com [192.94.214.100])
	by core3.amsl.com (Postfix) with ESMTP id DE0EA3A67A5;
	Mon, 29 Sep 2008 13:04:59 -0700 (PDT)
Received: (from uucp at localhost)
	by nutshell.tislabs.com (8.12.9/8.12.9) id m8TK42iB014674;
	Mon, 29 Sep 2008 16:04:02 -0400 (EDT)

Received: from nodnsquery(10.66.1.30) by nutshell.tislabs.com via csmap(V6.0)

	id srcAAAjPaiQC; Mon, 29 Sep 08 16:04:02 -0400
Received: by pecan.tislabs.com (Postfix, from userid 2005)
	id 3E5DD3F443; Mon, 29 Sep 2008 16:02:31 -0400 (EDT)

To: dward at cisco.com, edward.jankiewicz at sri.com, msec at ietf.org,ospf at ietf.org,

   rcallon at juniper.net, rpsec at ietf.org, secdir at mit.edu, sidr at ietf.org,
   tsvwg at ietf.org
Subject: Re: [RPSEC] Authentication for OSPFv3
Cc: sandy at tislabs.com
In-Reply-To: <48D96507.4000207 at sri.com>
Message-Id: <20080929200231.3E5DD3F443 at pecan.tislabs.com>
Date: Mon, 29 Sep 2008 16:02:31 -0400 (EDT)
From: sandy at tislabs.com (Sandy Murphy)

What (if any) current initiatives are there that would support automatedkey exchange for OSFPv3 authentication?


You have msec on the list of recipients, which is where I (not an active
participant, mind you) think the answer lies.  Both GDOI (RFC 3547) and
GSAKMP (RFC 4535) are group key management protocols, which is what
OSPFv3 needs.  Unfortunately, both assume the existence of a group
controller that plays an important role in distributing keys.  In other

words, the very democratic all-are-equal many-to-many model of OSPFmight find it

difficult to map to the envisioned group security architecture.  I
suppose it might be possible to consider the Designated Router as the
group controller, but as the DR is elected, that might be a difficult fit.

Even if you solve the group key management problem for OSPFv3, you still
have the difficulty to doing anti-replay in a multicast environment.
Manral presented a draft some years ago to the rpsec working group about
the crypto vulnerabilities of routing protocols, and concentrated for
OSPFv3 on replay vulnerabilities.  Unfortunately, that did not go anywhere.

Just for fun, I'm adding the routing area ADs and the secdir on this list.
This is one of those cross-disciplinary concerns that has the right people
in several different wgs and areas.  The more the merrier, right?

The one quibble I have is that the tsvwg probably has little to do with this
problem - the transport for OSPFv3 is IP, not TCP, and IP is not the level
of stuff their charter looks at.

(And sorry for the late reply to your messages, I've been mulling theoptions.)


--Sandy

---------  In reply to ------------------------

Date: Tue, 23 Sep 2008 17:52:07 -0400
From: Ed Jankiewicz <edward.jankiewicz at sri.com>

To: ospf at ietf.org, rpsec at ietf.org, sidr at ietf.org, msec at ietf.org,tsvwg at ietf.org

Subject: [RPSEC] Authentication for OSPFv3

I am not an active follower of these lists but have a question.  Please
reply off-list directly to ed.jankiewicz at sri.com or copy me if this
triggers relevant discussion on your list.

What (if any) current initiatives are there that would support automated
key exchange for OSFPv3 authentication?  RFC 4552 relies upon pre-shared
secret keys for generating message digest, but some of my constituents
have issues with manual generation, distribution and configuration of
keys in their IPv6 network deployment.  Is any of the current work on
IKE revisions applicable, any work being done in your working group, or
do you know of any OSPF-specific solution being developed somewhere?

Thanks.

--
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or  ed.jankiewicz at sri.com

_______________________________________________
RPSEC mailing list
RPSEC at ietf.org
https://www.ietf.org/mailman/listinfo/rpsec


--===============1151216042==--


_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Prev by Date: [MSEC] Minneapolis Meeting
Next by Date: Re: [MSEC] [RPSEC] Authentication for OSPFv3
Previous by thread: [MSEC] Minneapolis Meeting
Next by thread: Re: [MSEC] [RPSEC] Authentication for OSPFv3
Index(es):
- Date
- Thread