[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RPSEC] [secdir] [sidr] Authentication for OSPFv3

To: "Vishwas Manral" <vishwas.ietf at gmail.com>
Subject: Re: [RPSEC] [secdir] [sidr] Authentication for OSPFv3
From: Sam Hartman <hartmans-ietf at mit.edu>
Date: Tue, 30 Sep 2008 07:00:27 -0400
Cc: msec at ietf.org, tsvwg at ietf.org, edward.jankiewicz at sri.com, ospf at ietf.org, secdir at MIT.EDU, sidr at ietf.org, rpsec at ietf.org, dward at cisco.com, Sandy Murphy <sandy at tislabs.com>, rcallon at juniper.net
Delivered-to: ietfarch-rpsec-web-archive at core3.amsl.com
Delivered-to: rpsec at core3.amsl.com
In-reply-to: <77ead0ec0809291853t63940339xc826b13cf5515176 at mail.gmail.com> (Vishwas Manral's message of "Tue, 30 Sep 2008 07:23:24 +0530")
List-archive: <http://www.ietf.org/pipermail/rpsec>
List-help: <mailto:rpsec-request@ietf.org?subject=help>
List-id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-post: <mailto:rpsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
References: <48D96507.4000207 at sri.com> <20080929200231.3E5DD3F443 at pecan.tislabs.com> <77ead0ec0809291853t63940339xc826b13cf5515176 at mail.gmail.com>
Sender: rpsec-bounces at ietf.org
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

>>>>> "Vishwas" == Vishwas Manral <vishwas.ietf at gmail.com> writes:

    Vishwas> We can also solve the problem similarly by something like
    Vishwas> BTNS(ofcourse Multicast part needs to be thought further)
    Vishwas> which does not necessarily require any certificate
    Vishwas> verification - so we may have unauthenticated IKE SA's
    Vishwas> but then all keys for the CHILD_SA from there are
    Vishwas> automatically generated.


Let me see if I understand this approach correctly.  I want to
interact with OSPF.  Somehow there is a group key that is in use on my
link.  In order to obtain this key, I exchange in an unauthenticated
BTNS-style exchange with someone, and as a result of that exchange,
obtain the key?

First, who do I perform this exchange with?  Anyone who currently holds the key?

Second, what threats does this protect against?

Finally, one of the things we typically desire from BTNS-style
protocols is a way to turn them into higher-infrastructure protocols when the infrastructure is available.  Can I do that with your approach?  How?

_______________________________________________
RPSEC mailing list
RPSEC at ietf.org
https://www.ietf.org/mailman/listinfo/rpsec

Follow-Ups:
- Re: [RPSEC] [secdir] [sidr] Authentication for OSPFv3
  - From: Vishwas Manral

References:
- [RPSEC] Authentication for OSPFv3
  - From: Ed Jankiewicz
- Re: [RPSEC] Authentication for OSPFv3
  - From: Sandy Murphy
- Re: [RPSEC] [sidr] Authentication for OSPFv3
  - From: Vishwas Manral

Prev by Date: Re: [RPSEC] [sidr] Authentication for OSPFv3
Next by Date: Re: [RPSEC] [secdir] [sidr] Authentication for OSPFv3
Previous by thread: Re: [RPSEC] [sidr] Authentication for OSPFv3
Next by thread: Re: [RPSEC] [secdir] [sidr] Authentication for OSPFv3
Index(es):
- Date
- Thread