> 2. Sec 2.2 > I didn't understand on what exactly is the requirement that this has to be > similar to OSPFv2? >
I think the requirement is just to move away from IPSec which has proven difficult to deploy in the field. I'll let the authors comment on the other questions. Yeah, right. Got this. I should have been more specific. I was thinking as mentioned in other comments - why the AUTH_trailer/choice-of-auth-algos/auth-scope-of-the packet/etc..have to be similar to OSPFv2 as there is - no backward compatibility issue - this can well address identified/potential weaknesses in OSPFv2 auth (as seen in ip-header/src protection draft) and - future flexibility (auth type) - need to anyways align to/consider auto-key-management requirements Thanks, Uma > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Bhatia, Manav (Manav) > Sent: Thursday, October 14, 2010 4:36 PM > To: [email protected]; [email protected] > Subject: [OSPF] Supporting Authentication Trailer for OSPFv3 > > Hi, > > We have posted the new version of this draft for the WG to review. > > Changes from -00: > > o Uses a new option bit (AT) present in the Hellos and DDs to indicate that > the router will use an Authentication trailer in all OSPFv3 packets on that > link. This will obviously be negotiated and the routers will only do this if > both the routers turn on the AT bit. > > o Describes where the new authentication trailer is placed wrt link local > signaling (LLS) block defined in RFC5613. > > o Some editorial changes. > > Acee, Vishwas and Manav > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Bhatia, Manav (Manav) >> Sent: Wednesday, September 29, 2010 4.50 AM >> To: [email protected] >> Subject: [OSPF] draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> >> >> Hi, >> >> Proposing another mechanism for doing non Ipsec authentication for >> OSPFv3. In this proposal the OSPFv3 authentication information is >> appended to the OSPFv3 packet and is not considered a part of the >> protocol payload; it is instead included in the IPv6 packet's payload >> length. >> >> The mechanism described is very similar to how it is done for >> OSPFv2 and implementations can reuse most of the existing code for >> authenticating OSPFv2. >> >> So whats the difference between this and the >> draft-bhatia-karp-non-ipsec-ospfv3-auth-01.txt? >> >> The main difference is that the latter introduces a new IPv6 >> extension header that can be used by all protocols that want to use >> non IPSec security. The main issue that I see is that while it is >> generic I don't see too many applications that might want to use >> this. The advantage of the new mechanism is that its restricted to >> OSPFv3 and is also backward compatible. Implementations that don't >> support this extension can continue to ignore this trailer attached >> to the OSPFv3 payload. >> >> The other difference is regarding the code reusability. In the new >> mechanism (Authentication Trailer) very little new code needs to be >> added, while the earlier (Generic Authentication Header) mechanism >> would require new source code to be added. >> >> Would be great if the WG can review this document! >> >> Cheers, Manav >> >> ----- Forwarded Message ---- >> From: "[email protected]" <[email protected]> >> To: [email protected] >> Sent: Tue, September 28, 2010 11:15:01 PM >> Subject: I-D ACTION:draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> >> >> Title : Supporting Authentication Trailer for OSPFv3 >> Author(s) : M. Bhatia, V. Manral >> Filename : draft-bhatia-manral-auth-trailer-ospfv3-00.txt >> Pages : 12 >> Date : 2010-9-28 >> >> Currently OSPFv3 uses IPsec for authenticating the protocol >> packets. There however are some environments (mobile ad-hoc), >> where IPsec is difficult to configure and maintain, and this >> mechanism cannot be used. This draft proposes an alternative >> mechanism that can be used so that OSPFv3 does not depend upon >> IPsec for security. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-bhatia-manral-auth-t >> railer-ospfv3-00.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> -- >> Manav Bhatia, >> IP Division, Alcatel-Lucent, >> Bangalore - India >> >> >> _______________________________________________ >> OSPF mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ospf >> > _______________________________________________ > OSPF mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ospf > _______________________________________________ > karp mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/karp > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
