[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RPSEC] [Tsvwg] Authentication for OSPFv3

To: Sandy Murphy <sandy at tislabs.com>
Subject: Re: [RPSEC] [Tsvwg] Authentication for OSPFv3
From: Brian Weis <bew at cisco.com>
Date: Tue, 30 Sep 2008 09:14:41 -0700
Authentication-results: sj-dkim-3; header.From=bew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: msec at ietf.org, tsvwg list IETF <tsvwg at ietf.org>, edward.jankiewicz at sri.com, ospf at ietf.org, "secdir at MIT.EDU" <secdir at mit.edu>, rpsec at ietf.org, David Ward <dward at cisco.com>, sidr at ietf.org, Ross Callon <rcallon at juniper.net>
Delivered-to: ietfarch-rpsec-web-archive at core3.amsl.com
Delivered-to: rpsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3675; t=1222791178; x=1223655178; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew at cisco.com; z=From:=20Brian=20Weis=20<bew at cisco.com> |Subject:=20Re=3A=20[Tsvwg]=20[RPSEC]=20Authentication=20fo r=20OSPFv3 |Sender:=20; bh=KjgDb/hr33RoXazjjqvua8isYhWhUH5Kth/XJmjLj5c=; b=vOxaQOecIl33DdvKWNRYvZ0H9rrDVpjXmCTgGtPvSd/FkYUgPD0+fkALUc cILTFKR5kGsuJNbyo9+v8W8UFBeCkm1/a9QMi3TMHrHuhzCDa9F/uOdPREhK mQj65P1qYy;
In-reply-to: <20080929200231.3E5DD3F443 at pecan.tislabs.com>
List-archive: <http://www.ietf.org/pipermail/rpsec>
List-help: <mailto:rpsec-request@ietf.org?subject=help>
List-id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-post: <mailto:rpsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
References: <20080929200231.3E5DD3F443 at pecan.tislabs.com>
Sender: rpsec-bounces at ietf.org


On Sep 29, 2008, at 1:02 PM, Sandy Murphy wrote:

What (if any) current initiatives are there that would supportautomated
key exchange for OSFPv3 authentication?
You have msec on the list of recipients, which is where I (not anactive
participant, mind you) think the answer lies.


I agree with Sandy.

Both GDOI (RFC 3547) and
GSAKMP (RFC 4535) are group key management protocols, which is what
OSPFv3 needs.  Unfortunately, both assume the existence of a group
controller that plays an important role in distributing keys. Inotherwords, the very democratic all-are-equal many-to-many model of OSPFmight find it
difficult to map to the envisioned group security architecture.  I
suppose it might be possible to consider the Designated Router as the
group controller, but as the DR is elected, that might be adifficult fit.

There is an expired individual I-D that explores several optionsalong these lines: <http://tools.ietf.org/html/draft-liu-ospfv3-automated-keying-req-01>. However, there isn't (in my opinion) anobvious way forward. We can allocate some time on the MinneapolisMSEC WG agenda on this topic if there's sufficient interest.


Brian

Even if you solve the group key management problem for OSPFv3, youstill
have the difficulty to doing anti-replay in a multicast environment.
Manral presented a draft some years ago to the rpsec working groupabout
the crypto vulnerabilities of routing protocols, and concentrated for
OSPFv3 on replay vulnerabilities. Unfortunately, that did not goanywhere.
Just for fun, I'm adding the routing area ADs and the secdir onthis list.This is one of those cross-disciplinary concerns that has the rightpeople
in several different wgs and areas.  The more the merrier, right?
The one quibble I have is that the tsvwg probably has little to dowith thisproblem - the transport for OSPFv3 is IP, not TCP, and IP is notthe level
of stuff their charter looks at.
(And sorry for the late reply to your messages, I've been mullingthe options.)
--Sandy

---------  In reply to ------------------------

Date: Tue, 23 Sep 2008 17:52:07 -0400
From: Ed Jankiewicz <edward.jankiewicz at sri.com>
To: ospf at ietf.org, rpsec at ietf.org, sidr at ietf.org, msec at ietf.org,tsvwg at ietf.org
Subject: [RPSEC] Authentication for OSPFv3
I am not an active follower of these lists but have a question.Please
reply off-list directly to ed.jankiewicz at sri.com or copy me if this
triggers relevant discussion on your list.
What (if any) current initiatives are there that would supportautomatedkey exchange for OSFPv3 authentication? RFC 4552 relies upon pre-shared
secret keys for generating message digest, but some of my constituents
have issues with manual generation, distribution and configuration of
keys in their IPv6 network deployment.  Is any of the current work on
IKE revisions applicable, any work being done in your workinggroup, or
do you know of any OSPF-specific solution being developed somewhere?

Thanks.

--
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or  ed.jankiewicz at sri.com

_______________________________________________
RPSEC mailing list
RPSEC at ietf.org
https://www.ietf.org/mailman/listinfo/rpsec


--
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew at cisco.com

_______________________________________________
RPSEC mailing list
RPSEC at ietf.org
https://www.ietf.org/mailman/listinfo/rpsec

References:
- Re: [RPSEC] Authentication for OSPFv3
  - From: Sandy Murphy

Prev by Date: Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication for OSPFv3
Next by Date: Re: [RPSEC] [OSPF] [sidr] Authentication for OSPFv3
Previous by thread: Re: [RPSEC] [secdir] [OSPF] [sidr] Authentication for OSPFv3
Index(es):
- Date
- Thread