[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MSEC] [Tsvwg] [RPSEC] Authentication for OSPFv3


On Sep 29, 2008, at 1:02 PM, Sandy Murphy wrote:


What (if any) current initiatives are there that woFrom msec-bounces at ietf.org  Tue Sep 30 09:13:16 2008

Return-Path: <msec-bounces at ietf.org>
X-Original-To: msec-archive at optimus.ietf.org
Delivered-To: ietfarch-msec-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 499763A6A2E;
	Tue, 30 Sep 2008 09:13:16 -0700 (PDT)
X-Original-To: msec at core3.amsl.com
Delivered-To: msec at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id F04593A691E;
	Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 
	tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id OHnJR+F2MVGA; Tue, 30 Sep 2008 09:13:14 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70])
	by core3.amsl.com (Postfix) with ESMTP id DF7403A67E7;
	Tue, 30 Sep 2008 09:13:13 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,338,1220227200"; d="scan'208";a="84812259"
Received: from sj-dkim-3.cisco.com ([171.71.179.195])
	by sj-iport-1.cisco.com with ESMTP; 30 Sep 2008 16:12:58 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254])
by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m8UGCw40002981; Tue, 30 Sep 2008 09:12:58 -0700 
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com
	[128.107.191.100])
	by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m8UGCv3B026482;
	Tue, 30 Sep 2008 16:12:58 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by
xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:58 -0700 
Received: from [10.32.244.214] ([10.32.244.214]) by xfe-sjc-211.amer.cisco.com
with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 09:12:57 -0700 
In-Reply-To: <20080929200231.3E5DD3F443 at pecan.tislabs.com>
References: <20080929200231.3E5DD3F443 at pecan.tislabs.com>
Mime-Version: 1.0 (Apple Message framework v753.1)
Message-Id: <174D7A1B-7E6F-4B98-94A8-8174803723E1 at cisco.com>
From: Brian Weis <bew at cisco.com>
Date: Tue, 30 Sep 2008 09:14:41 -0700
To: Sandy Murphy <sandy at tislabs.com>
X-Mailer: Apple Mail (2.753.1)
X-OriginalArrivalTime: 30 Sep 2008 16:12:57.0962 (UTC)
	FILETIME=[673694A0:01C92317]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3675; t=1222791178;
	x=1223655178; c=relaxed/simple; s=sjdkim3002;
	h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
	d=cisco.com; i=bew at cisco.com;
	z=From:=20Brian=20Weis=20<bew at cisco.com>
	|Subject:=20Re=3A=20[Tsvwg]=20[RPSEC]=20Authentication=20fo
	r=20OSPFv3 |Sender:=20;
	bh=KjgDb/hr33RoXazjjqvua8isYhWhUH5Kth/XJmjLj5c=;
	b=vOxaQOecIl33DdvKWNRYvZ0H9rrDVpjXmCTgGtPvSd/FkYUgPD0+fkALUc
	cILTFKR5kGsuJNbyo9+v8W8UFBeCkm1/a9QMi3TMHrHuhzCDa9F/uOdPREhK
	mQj65P1qYy;
Authentication-Results: sj-dkim-3; header.From=bew at cisco.com; dkim=pass (
sig from cisco.com/sjdkim3002 verified; ); Cc: msec at ietf.org, tsvwg list IETF <tsvwg at ietf.org>, edward.jankiewicz at sri.com, 
	ospf at ietf.org, "secdir at MIT.EDU" <secdir at mit.edu>, rpsec at ietf.org,
	sidr at ietf.org, Ross Callon <rcallon at juniper.net>
Subject: Re: [MSEC] [Tsvwg] [RPSEC] Authentication for OSPFv3
X-BeenThere: msec at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>,
	<mailto:msec-request at ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/msec>
List-Post: <mailto:msec at ietf.org>
List-Help: <mailto:msec-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>,
	<mailto:msec-request at ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: msec-bounces at ietf.org
Errors-To: msec-bounces at ietf.org


On Sep 29, 2008, at 1:02 PM, Sandy Murphy wrote:
What (if any) current initiatives are there that would support automated 
key exchange for OSFPv3 authentication?
You have msec on the list of recipients, which is where I (not an active 
participant, mind you) think the answer lies.


I agree with Sandy.


Both GDOI (RFC 3547) and
GSAKMP (RFC 4535) are group key management protocols, which is what
OSPFv3 needs.  Unfortunately, both assume the existence of a group
controller that plays an important role in distributing keys. In other words, the very democratic all-are-equal many-to-many model of OSPF might find it 
difficult to map to the envisioned group security architecture.  I
suppose it might be possible to consider the Designated Router as the
group controller, but as the DR is elected, that might be a difficult fit.
There is an expired individual I-D that explores several options along these lines: <http://tools.ietf.org/html/draft-liu-ospfv3- automated-keying-req-01>. However, there isn't (in my opinion) an obvious way forward. We can allocate some time on the Minneapolis MSEC WG agenda on this topic if there's sufficient interest. 

Brian
Even if you solve the group key management problem for OSPFv3, you still 
have the difficulty to doing anti-replay in a multicast environment.
Manral presented a draft some years ago to the rpsec working group about 
the crypto vulnerabilities of routing protocols, and concentrated for
OSPFv3 on replay vulnerabilities. Unfortunately, that did not go anywhere.
Just for fun, I'm adding the routing area ADs and the secdir on this list. This is one of those cross-disciplinary concerns that has the right people 
in several different wgs and areas.  The more the merrier, right?
The one quibble I have is that the tsvwg probably has little to do with this problem - the transport for OSPFv3 is IP, not TCP, and IP is not the level 
of stuff their charter looks at.
(And sorry for the late reply to your messages, I've been mulling the options.) 

--Sandy

---------  In reply to ------------------------

Date: Tue, 23 Sep 2008 17:52:07 -0400
From: Ed Jankiewicz <edward.jankiewicz at sri.com>
To: ospf at ietf.org, rpsec at ietf.org, sidr at ietf.org, msec at ietf.org, tsvwg at ietf.org 
Subject: [RPSEC] Authentication for OSPFv3
I am not an active follower of these lists but have a question. Please 
reply off-list directly to ed.jankiewicz at sri.com or copy me if this
triggers relevant discussion on your list.
What (if any) current initiatives are there that would support automated key exchange for OSFPv3 authentication? RFC 4552 relies upon pre- shared 
secret keys for generating message digest, but some of my constituents
have issues with manual generation, distribution and configuration of
keys in their IPv6 network deployment.  Is any of the current work on
IKE revisions applicable, any work being done in your working group, or 
do you know of any OSPF-specific solution being developed somewhere?

Thanks.

--
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or  ed.jankiewicz at sri.com

_______________________________________________
RPSEC mailing list
RPSEC at ietf.org
https://www.ietf.org/mailman/listinfo/rpsec



--
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew at cisco.com

_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec