Hi Michael, > On 01/14/2011 12:55 AM, Bhatia, Manav (Manav) wrote: > >> > Regarding the new format for hello packets, is this > format to be used > >> > only during challenge and response, or for all hello packets > >> > when this > >> > new form of authentication is enabled? > > > This has to be used*all* the time. > > I'm not very excited about a 3x increase in the number of bytes per > neighbor. (For those who haven't read the draft, it changes the Hello > packet so that it contains 12 bytes for each neighbor over > the current 4 > bytes per neighbor.) I have to wonder if this is really necessary for > each and every hello packet. I'm certainly not a security > expert, but it > seems to me that once we have verified the neighbor's session ID we > shouldn't continue to need to receive our own session ID and > nonce back > in every hello packet. Did you consider if this can't be optimized?
Nonce and Session IDs are essential to protect against inter and intra-replay attacks. While I think we need to carry them all the time, I am not precluding the possibility of some optimization that can get in here. The idea behind submitting this draft was to initiate a discussion on how to start securing OSPF when its using manual keying. I am also ok if we start this discussion and arrive on a solution that's quite divergent from the one that's presented here! Cheers, Manav _______________________________________________ OSPF mailing list OSPF@ietf.org https://www.ietf.org/mailman/listinfo/ospf
