Strange as it may sound but one could actually argue that the probability of finding collisions, assuming a constant checksum in a packet, will be the same as not having any checksum to consider. There is imo a very little gain that one gets by verifying the checksum if the hash (sha-1, etc) has been verified - which is also why I believe most protocols ignore the checksum value when using some auth scheme.
Cheers, Manav > -----Original Message----- > From: Vishwas Manral [mailto:[email protected]] > Sent: Wednesday, January 19, 2011 11.26 AM > To: Bhatia, Manav (Manav) > Cc: Rajesh Shetty; Acee Lindem; [email protected] > Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > > Hi Manav, > > I am sure errors can creep past CRC32 algorithms. What I am saying is > by still having it, it provides anotehr level of security. > > Thanks, > Vishwas > > On Tue, Jan 18, 2011 at 9:52 PM, Bhatia, Manav (Manav) > <[email protected]> wrote: > > Hi Vishwas, > > > > I think computing the checksum when we're already computing > the hash is redundant. There are lot of errors that can slip > past the internet protocol checksum that currently exists and > a lot of work has been done describing this. One such, wildly > referred paper is this: > > > > Stone, J., Greenwald, M., Partridge, C., and J. Hughes, > "Performance of checksums and CRC's over real data", IEEE/ > ACM Trans. Netw. vol 6, num 5, pages 529-543, 1998, > <http://dx.doi.org/10.1109/90.731187> > > > > In fact, there are several people who turn on cryptographic > authentication only to detect errors that slip past OSPF's > current checksum algo. I had posted a question on NANOG some > time back and I had received a few responses where people > said that they did what I have just described above. So, I > don't think we should do checksum if we're already doing > crypto authentication - I thinks its redundant and doesn't > help in any way. > > > > There is also a draft motivated by this which was presented > in the last IETF. > > http://tools.ietf.org/html/draft-jakma-ospf-integrity-00 > > > > Cheers, Manav > > > >> -----Original Message----- > >> From: Vishwas Manral [mailto:[email protected]] > >> Sent: Wednesday, January 19, 2011 10.50 AM > >> To: Bhatia, Manav (Manav) > >> Cc: Rajesh Shetty; Acee Lindem; [email protected] > >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > >> > >> Hi Manav, > >> > >> I dont think you gain much by not calculating checksum. > >> > >> You gain a lot as any issues with the authentication algorithm like > >> MD5, the checksum is another level of protection. > >> > >> Thanks, > >> Vishwas > >> > >> On Tue, Jan 18, 2011 at 8:44 PM, Bhatia, Manav (Manav) > >> <[email protected]> wrote: > >> > Hi Rajesh, > >> > > >> > Yes, you are right. We should add text that says that > >> checksum SHOULD not be computed and verified when an > >> authentication trailer is attached to an OSPFv3 packet. > >> > > >> > Cheers, Manav > >> > > >> >> -----Original Message----- > >> >> From: [email protected] [mailto:[email protected]] On > >> >> Behalf Of Rajesh Shetty > >> >> Sent: Wednesday, January 19, 2011 10.09 AM > >> >> To: 'Acee Lindem' > >> >> Cc: [email protected] > >> >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > >> >> > >> >> > >> >> Dear Acee, > >> >> > >> >> Just a discrepancy between ospfv2 and ospfv3: > >> >> IN OSPFv2 cryptographic authentication, checksum filed is set > >> >> to zero. IN > >> >> OSPFv3 authentication Trailer, both cryptographic > >> authentication and > >> >> checksum are calculated. Checksum in OSPFv3 covers ipv6 > >> pseudo header, > >> >> entire ospf packet. Covering ospf packet might not be > >> >> necessary in this > >> >> scenario since cryptographic authentication already covers > >> the same. > >> >> > >> >> > >> >> Thanks > >> >> Rajesh > >> >> > >> >> > >> >> This e-mail and attachments contain confidential information > >> >> from HUAWEI, > >> >> which is intended only for the person or entity whose address > >> >> is listed > >> >> above. Any use of the information contained herein in any way > >> >> (including, > >> >> but not limited to, total or partial disclosure, > reproduction, or > >> >> dissemination) by persons other than the intended > recipient's) is > >> >> prohibited. If you receive this e-mail in error, please > >> >> notify the sender by > >> >> phone or email immediately and delete it! > >> >> > >> >> > >> >> -----Original Message----- > >> >> From: [email protected] [mailto:[email protected]] On > >> >> Behalf Of Acee > >> >> Lindem > >> >> Sent: Friday, January 07, 2011 8:39 PM > >> >> To: Bhatia, Manav (Manav) > >> >> Cc: [email protected]; Vishwas Manral > >> >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 > >> >> > >> >> Actually I was just making sure everyone was paying attention > >> >> :^) Since I'm > >> >> an author, I'll validate with Abhay and Stewart but I think > >> >> we can move > >> >> forward and make this a WG document. > >> >> > >> >> > >> >> Thanks, > >> >> Acee > >> >> > >> >> On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: > >> >> > >> >> > I am sure Acee meant that the he and the authors would like > >> >> to see this > >> >> draft adopted up as a WG draft. > >> >> > > >> >> > I agree with that sentiment and would request this to be > >> >> accepted as a WG > >> >> document. We've had several mails in the past where this work > >> >> was supported > >> >> and none that was against. > >> >> > > >> >> > Cheers, Manav > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: Acee Lindem [mailto:[email protected]] > >> >> >> Sent: Friday, January 07, 2011 2.11 AM > >> >> >> To: [email protected] > >> >> >> Cc: Bhatia, Manav (Manav); Vishwas Manral > >> >> >> Subject: Supporting Authentication Trailer for OSPFv3 > >> >> >> > >> >> >> Speaking as WG Co-Chair: > >> >> >> > >> >> >> At the last OSPF WG meeting, there was some interest in this > >> >> >> draft. I'm now asking for opinions for and against. > >> >> >> > >> >> >> Speaking as a WG member: > >> >> >> > >> >> >> The authors (myself included) would not like to make this a > >> >> >> WG draft. On the OSPF list and at the OSPF WG meeting, the > >> >> >> only dissent was on along the lines of making IPsec > >> >> >> (including IKEv2) work better with OSPFv3 rather than doing > >> >> >> this. I don't disagree that this should be a goal but I don't > >> >> >> think it should preclude this work. > >> >> >> > >> >> >> Thanks, > >> >> >> Acee > >> >> > >> >> _______________________________________________ > >> >> OSPF mailing list > >> >> [email protected] > >> >> https://www.ietf.org/mailman/listinfo/ospf > >> >> > >> >> _______________________________________________ > >> >> OSPF mailing list > >> >> [email protected] > >> >> https://www.ietf.org/mailman/listinfo/ospf > >> >> > >> > _______________________________________________ > >> > OSPF mailing list > >> > [email protected] > >> > https://www.ietf.org/mailman/listinfo/ospf > >> > > >> > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
