Hi Abhinay,
OSPFv3 authentication trailer RFC (RFC7166) is newer RFC than OSPFv2 HMAC
authentication (RFC5709), and
in RFC 7166, in section 1.2. Summary of Changes from RFC 6506 ,
2. Section 3 previously recommended usage of an expired key for
transmitted OSPFv3 packets when no valid keys existed. This
statement has been removed.
So, as per this RFC, my understanding is , it is not recommended to use expired
key for authentication.
We are planning to support HMAC for both OSPFv2/v3, we thought if we keep
consistent behavior for both will be helpful.
Thanks & Regards,
Veerendranath
-----Original Message-----
From: Lsr <[email protected]> On Behalf Of Abhinay R
Sent: Monday, March 8, 2021 2:14 PM
To: Veerendranatha Reddy V
<[email protected]>
Cc: [email protected]
Subject: Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key
expiry or no active keys of key chain
Hi Veeru,
Is there a need to have the same behaviour? When we had to implement it
I remember we followed rule 1 for OSPFv3, but we triggered a trap message
before doing so.
Thanks & Regards,
Abhinay R
On Mon, Mar 8, 2021 at 9:00 AM Veerendranatha Reddy V
<[email protected]> wrote:
>
> Hi All,
>
> As per OSPF authentication RFCs , during last key expired/inactive key
> of key chain the behavior of authentication process is different
> between OSPFv2/v3
>
>
>
> For OSPFv2 from RFC 5709,
>
> [ From Section 3.2]
>
> Key storage SHOULD persist across a system restart, warm or cold,
> to
>
> avoid operational issues. In the event that the last key
> associated
>
> with an interface expires, it is unacceptable to revert to an
>
> unauthenticated condition, and not advisable to disrupt routing.
>
> Therefore, the router should send a "last Authentication Key
>
> expiration" notification to the network manager and treat the key
> as
>
> having an infinite lifetime until the lifetime is extended, the key
>
> is deleted by network management, or a new key is configured.
>
>
>
> For OSPFv3 from RFC7166,
>
> [From Section 3]
>
> Key storage SHOULD persist across a system restart, warm or
> cold,
>
> to avoid operational issues. In the event that the last key
>
> associated with an interface expires, the network operator
> SHOULD
>
> be notified, and the OSPFv3 packet MUST NOT be transmitted
>
> unauthenticated.
>
>
>
> For new implementation for these RFCs, I am requesting to provide the
> suggested behavior.
>
> Sending side:
>
> Should not send the packet until valid key configured on key chain.
> Packet send without authentication.
> Packet send with the last expired authentication key.
>
>
>
> Receiving side:
>
> Ignore the packets until valid key configured on key chain.
> Accept the packets without authentication.
> Accept the packets matches the last expired key.
>
>
>
>
>
> Thanks & Regards,
>
> Veerendranath
>
> _______________________________________________
> Lsr mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/lsr
--
~♥~♫AbHiNaY♫~♥~∞
_______________________________________________
Lsr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lsr
_______________________________________________
Lsr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lsr
