Hi, I am aware of few service providers who turn on IGP cryptography only because they want a stronger checksum as the current internet protocol checksum, that OSPF uses, is known to have certain weaknesses. In particular it can not detect re-ordered words and certain patterns of bit flips. If stronger integrity checks are desired, the only option is to use cryptographic HMACs, either with MD5 or, if supported, the stronger algorithms specified by [RFC5709]. There are some disadvantages though to using the existing support for cryptographic HMACs purely for integrity checking. The algorithms require more computation, which may be noticeable on less powerful and/or energy-sensitive platforms. Additionally, the need to configure key material is an additional administrative burden.
We have posted a new draft that extends both OSPFv2 and OSPFv3 to allow for the automatic and backward compatible use of stronger integrity checks using an algorithm that's stronger and more effective than the current internet protocol checksum that exists. Would be great if folks can review this and provide some sort of feedback on this proposal. http://www.ietf.org/id/draft-jakma-ospf-integrity-00.txt Cheers, Manav From: [email protected] To: [email protected] Reply-to: [email protected] Subject: I-D Action:draft-jakma-ospf-integrity-00.txt X-RSN: 1/0/935/32768/36126 A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Stronger, Automatic Integrity Checks for OSPF Packets Author(s) : P. Jakma, M. Bhatia Filename : draft-jakma-ospf-integrity-00.txt Pages : 9 Date : 2010-10-13 This document describes an extension to OSPFv2 and OSPFv3 to allow a stronger integrity check to be applied to the protocol packets, than the default OSPF checksum, which is known to be weak. The extension allows OSPF speakers to negotiate the use of a CRC integrity check, as a new psuedo-authentication type. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-jakma-ospf-integrity-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. _______________________________________________ -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
