| < draft-ietf-ospf-auth-trailer-ospfv3-10.txt | draft-ietf-ospf-auth-trailer-ospfv3-11.txt > | |||
|---|---|---|---|---|
| OSPF Working Group M. Bhatia | OSPF Working Group M. Bhatia | |||
| Internet-Draft Alcatel-Lucent | Internet-Draft Alcatel-Lucent | |||
| Intended status: Standards Track V. Manral | Intended status: Standards Track V. Manral | |||
| Expires: May 18, 2012 Hewlett Packard | Expires: May 24, 2012 Hewlett Packard | |||
| A. Lindem | A. Lindem | |||
| Ericsson | Ericsson | |||
| Nov 15, 2011 | Nov 21, 2011 | |||
| Supporting Authentication Trailer for OSPFv3 | Supporting Authentication Trailer for OSPFv3 | |||
| draft-ietf-ospf-auth-trailer-ospfv3-10 | draft-ietf-ospf-auth-trailer-ospfv3-11 | |||
| Abstract | Abstract | |||
| Currently OSPFv3 uses IPsec as the only mechanism for authenticating | Currently OSPFv3 uses IPsec as the only mechanism for authenticating | |||
| protocol packets. This behavior is different from authentication | protocol packets. This behavior is different from authentication | |||
| mechanisms present in other routing protocols (OSPFv2, IS-IS, RIPng). | mechanisms present in other routing protocols (OSPFv2, IS-IS, RIPng). | |||
| In some environments, it has been found that IPsec is difficult to | In some environments, it has been found that IPsec is difficult to | |||
| configure and maintain, and cannot be used. This document proposes | configure and maintain, and cannot be used. This document proposes | |||
| an alternative mechanism to authenticate OSPFv3 protocol packets so | an alternative mechanism to authenticate OSPFv3 protocol packets so | |||
| that OSPFv3 does not depend upon only IPsec for authentication. | that OSPFv3 does not depend upon only IPsec for authentication. | |||
| skipping to change at page 1, line 39 ¶ | skipping to change at page 1, line 39 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 18, 2012. | This Internet-Draft will expire on May 24, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2011 IETF Trust and the persons identified as the | Copyright (c) 2011 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 11, line 22 ¶ | skipping to change at page 11, line 22 ¶ | |||
| o Cryptographic Sequence Number | o Cryptographic Sequence Number | |||
| 64-bit strictly increasing sequence number that is used to guard | 64-bit strictly increasing sequence number that is used to guard | |||
| against replay attacks. The 64-bit sequence number MUST be | against replay attacks. The 64-bit sequence number MUST be | |||
| incremented for every OSPFv3 packet sent by the OSPFv3 router. | incremented for every OSPFv3 packet sent by the OSPFv3 router. | |||
| Upon reception, the sequence number MUST be greater than the | Upon reception, the sequence number MUST be greater than the | |||
| sequence number in the last OSPFv3 packet accepted from the | sequence number in the last OSPFv3 packet accepted from the | |||
| sending OSPFv3 neighbor. Otherwise, the OSPFv3 packet is | sending OSPFv3 neighbor. Otherwise, the OSPFv3 packet is | |||
| considered a replayed packet and dropped. | considered a replayed packet and dropped. | |||
| OSPFv3 routers implementing this specification SHOULD use | OSPFv3 routers implementing this specification MUST use available | |||
| available mechanisms to preserve the sequence number's strictly | mechanisms to preserve the sequence number's strictly increasing | |||
| increasing property for the deployed life of the OSPFv3 router | property for the deployed life of the OSPFv3 router (including | |||
| (including cold restarts). One mechanism for accomplishing this | cold restarts). One mechanism for accomplishing this would be to | |||
| would be to use the high order 32 bits of the sequence number as a | use the high order 32 bits of the sequence number as a wrap/boot | |||
| wrap/boot count that is incremented anytime the OSPFv3 router | count that is incremented anytime the OSPFv3 router loses its | |||
| loses its sequence number state. Sequence number wrap is | sequence number state. Sequence number wrap is described in | |||
| described in Section 4.1.1. | Section 4.1.1. | |||
| o Authentication Data | o Authentication Data | |||
| Variable data that is carrying the digest for the protocol packet | Variable data that is carrying the digest for the protocol packet | |||
| and optional LLS block. | and optional LLS block. | |||
| 4.1.1. Sequence Number Wrap | 4.1.1. Sequence Number Wrap | |||
| When incrementing the sequence number for each transmitted OSPFv3 | When incrementing the sequence number for each transmitted OSPFv3 | |||
| packet, the sequence number should be treated as an unsigned 64-bit | packet, the sequence number should be treated as an unsigned 64-bit | |||
| End of changes. 5 change blocks. | ||||
| 12 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||