Hi Vishwas, I think computing the checksum when we're already computing the hash is redundant. There are lot of errors that can slip past the internet protocol checksum that currently exists and a lot of work has been done describing this. One such, wildly referred paper is this:
Stone, J., Greenwald, M., Partridge, C., and J. Hughes, "Performance of checksums and CRC's over real data", IEEE/ ACM Trans. Netw. vol 6, num 5, pages 529-543, 1998, <http://dx.doi.org/10.1109/90.731187> In fact, there are several people who turn on cryptographic authentication only to detect errors that slip past OSPF's current checksum algo. I had posted a question on NANOG some time back and I had received a few responses where people said that they did what I have just described above. So, I don't think we should do checksum if we're already doing crypto authentication - I thinks its redundant and doesn't help in any way. There is also a draft motivated by this which was presented in the last IETF. http://tools.ietf.org/html/draft-jakma-ospf-integrity-00 Cheers, Manav > -----Original Message----- > From: Vishwas Manral [mailto:[email protected]] > Sent: Wednesday, January 19, 2011 10.50 AM > To: Bhatia, Manav (Manav) > Cc: Rajesh Shetty; Acee Lindem; [email protected] > Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > > Hi Manav, > > I dont think you gain much by not calculating checksum. > > You gain a lot as any issues with the authentication algorithm like > MD5, the checksum is another level of protection. > > Thanks, > Vishwas > > On Tue, Jan 18, 2011 at 8:44 PM, Bhatia, Manav (Manav) > <[email protected]> wrote: > > Hi Rajesh, > > > > Yes, you are right. We should add text that says that > checksum SHOULD not be computed and verified when an > authentication trailer is attached to an OSPFv3 packet. > > > > Cheers, Manav > > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > >> Behalf Of Rajesh Shetty > >> Sent: Wednesday, January 19, 2011 10.09 AM > >> To: 'Acee Lindem' > >> Cc: [email protected] > >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > >> > >> > >> Dear Acee, > >> > >> Just a discrepancy between ospfv2 and ospfv3: > >> IN OSPFv2 cryptographic authentication, checksum filed is set > >> to zero. IN > >> OSPFv3 authentication Trailer, both cryptographic > authentication and > >> checksum are calculated. Checksum in OSPFv3 covers ipv6 > pseudo header, > >> entire ospf packet. Covering ospf packet might not be > >> necessary in this > >> scenario since cryptographic authentication already covers > the same. > >> > >> > >> Thanks > >> Rajesh > >> > >> > >> This e-mail and attachments contain confidential information > >> from HUAWEI, > >> which is intended only for the person or entity whose address > >> is listed > >> above. Any use of the information contained herein in any way > >> (including, > >> but not limited to, total or partial disclosure, reproduction, or > >> dissemination) by persons other than the intended recipient's) is > >> prohibited. If you receive this e-mail in error, please > >> notify the sender by > >> phone or email immediately and delete it! > >> > >> > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > >> Behalf Of Acee > >> Lindem > >> Sent: Friday, January 07, 2011 8:39 PM > >> To: Bhatia, Manav (Manav) > >> Cc: [email protected]; Vishwas Manral > >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > >> > >> Actually I was just making sure everyone was paying attention > >> :^) Since I'm > >> an author, I'll validate with Abhay and Stewart but I think > >> we can move > >> forward and make this a WG document. > >> > >> > >> Thanks, > >> Acee > >> > >> On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: > >> > >> > I am sure Acee meant that the he and the authors would like > >> to see this > >> draft adopted up as a WG draft. > >> > > >> > I agree with that sentiment and would request this to be > >> accepted as a WG > >> document. We've had several mails in the past where this work > >> was supported > >> and none that was against. > >> > > >> > Cheers, Manav > >> > > >> >> -----Original Message----- > >> >> From: Acee Lindem [mailto:[email protected]] > >> >> Sent: Friday, January 07, 2011 2.11 AM > >> >> To: [email protected] > >> >> Cc: Bhatia, Manav (Manav); Vishwas Manral > >> >> Subject: Supporting Authentication Trailer for OSPFv3 > >> >> > >> >> Speaking as WG Co-Chair: > >> >> > >> >> At the last OSPF WG meeting, there was some interest in this > >> >> draft. I'm now asking for opinions for and against. > >> >> > >> >> Speaking as a WG member: > >> >> > >> >> The authors (myself included) would not like to make this a > >> >> WG draft. On the OSPF list and at the OSPF WG meeting, the > >> >> only dissent was on along the lines of making IPsec > >> >> (including IKEv2) work better with OSPFv3 rather than doing > >> >> this. I don't disagree that this should be a goal but I don't > >> >> think it should preclude this work. > >> >> > >> >> Thanks, > >> >> Acee > >> > >> _______________________________________________ > >> OSPF mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/ospf > >> > >> _______________________________________________ > >> OSPF mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/ospf > >> > > _______________________________________________ > > OSPF mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/ospf > > > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
