> Though the spirit of the draft is good, I have few comments on > draft-bhatia-karp-non-ipsec-ospfv3-auth-01.txt. >
+1. I think its a good idea. > 1. Page 3 - Sec 1 - I saw couple of places referencing [RFC4522], LDAP?? I suspect its a typo and the authors really meant 4552. > > 2. Sec 2.2 > I didn't understand on what exactly is the requirement that this has to be > similar to OSPFv2? > I think the requirement is just to move away from IPSec which has proven difficult to deploy in the field. I'll let the authors comment on the other questions. > 7. Would it be better to include IPv6 header too as part of OSPF3 packet > (..not only as current available AH option gives this protection) While draft-ietf-karp-threats-reqs-01.txt states that routing protocols must protect the IP header, I dont think the WG has yet reached a consensus on this particular issue. NOTE that this draft is still under discussion and has not yet been finalized. Mark > > Thanks, > Uma > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Bhatia, Manav (Manav) > Sent: Thursday, October 14, 2010 4:36 PM > To: [email protected]; [email protected] > Subject: [OSPF] Supporting Authentication Trailer for OSPFv3 > > Hi, > > We have posted the new version of this draft for the WG to review. > > Changes from -00: > > o Uses a new option bit (AT) present in the Hellos and DDs to indicate that > the router will use an Authentication trailer in all OSPFv3 packets on that > link. This will obviously be negotiated and the routers will only do this if > both the routers turn on the AT bit. > > o Describes where the new authentication trailer is placed wrt link local > signaling (LLS) block defined in RFC5613. > > o Some editorial changes. > > Acee, Vishwas and Manav > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Bhatia, Manav (Manav) >> Sent: Wednesday, September 29, 2010 4.50 AM >> To: [email protected] >> Subject: [OSPF] draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> >> >> Hi, >> >> Proposing another mechanism for doing non Ipsec authentication for >> OSPFv3. In this proposal the OSPFv3 authentication information is >> appended to the OSPFv3 packet and is not considered a part of the >> protocol payload; it is instead included in the IPv6 packet's payload >> length. >> >> The mechanism described is very similar to how it is done for >> OSPFv2 and implementations can reuse most of the existing code for >> authenticating OSPFv2. >> >> So whats the difference between this and the >> draft-bhatia-karp-non-ipsec-ospfv3-auth-01.txt? >> >> The main difference is that the latter introduces a new IPv6 extension >> header that can be used by all protocols that want to use non IPSec >> security. The main issue that I see is that while it is generic I >> don't see too many applications that might want to use this. The >> advantage of the new mechanism is that its restricted to OSPFv3 and is >> also backward compatible. Implementations that don't support this >> extension can continue to ignore this trailer attached to the OSPFv3 >> payload. >> >> The other difference is regarding the code reusability. In the new >> mechanism (Authentication Trailer) very little new code needs to be >> added, while the earlier (Generic Authentication Header) mechanism >> would require new source code to be added. >> >> Would be great if the WG can review this document! >> >> Cheers, Manav >> >> ----- Forwarded Message ---- >> From: "[email protected]" <[email protected]> >> To: [email protected] >> Sent: Tue, September 28, 2010 11:15:01 PM >> Subject: I-D ACTION:draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> >> >> Title : Supporting Authentication Trailer for OSPFv3 >> Author(s) : M. Bhatia, V. Manral >> Filename : draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> Pages : 12 >> Date : 2010-9-28 >> >> Currently OSPFv3 uses IPsec for authenticating the protocol >> packets. There however are some environments (mobile ad-hoc), >> where IPsec is difficult to configure and maintain, and this >> mechanism cannot be used. This draft proposes an alternative >> mechanism that can be used so that OSPFv3 does not depend upon >> IPsec for security. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-bhatia-manral-auth-t >> railer-ospfv3-00.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> -- >> Manav Bhatia, >> IP Division, Alcatel-Lucent, >> Bangalore - India >> >> >> _______________________________________________ >> OSPF mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ospf >> > _______________________________________________ > OSPF mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ospf > _______________________________________________ > karp mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/karp > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
