Hi Manav, Vishwas, I agree with Manav. If you wash your hands once with soap, washing your them again with only water doesn't necessarily get your hands any cleaner - but it does, nevertheless, waste water. Thanks, Acee On Jan 19, 2011, at 1:11 AM, Bhatia, Manav (Manav) wrote:
> Strange as it may sound but one could actually argue that the probability of > finding collisions, assuming a constant checksum in a packet, will be the > same as not having any checksum to consider. There is imo a very little gain > that one gets by verifying the checksum if the hash (sha-1, etc) has been > verified - which is also why I believe most protocols ignore the checksum > value when using some auth scheme. > > Cheers, Manav > >> -----Original Message----- >> From: Vishwas Manral [mailto:[email protected]] >> Sent: Wednesday, January 19, 2011 11.26 AM >> To: Bhatia, Manav (Manav) >> Cc: Rajesh Shetty; Acee Lindem; [email protected] >> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >> >> Hi Manav, >> >> I am sure errors can creep past CRC32 algorithms. What I am saying is >> by still having it, it provides anotehr level of security. >> >> Thanks, >> Vishwas >> >> On Tue, Jan 18, 2011 at 9:52 PM, Bhatia, Manav (Manav) >> <[email protected]> wrote: >>> Hi Vishwas, >>> >>> I think computing the checksum when we're already computing >> the hash is redundant. There are lot of errors that can slip >> past the internet protocol checksum that currently exists and >> a lot of work has been done describing this. One such, wildly >> referred paper is this: >>> >>> Stone, J., Greenwald, M., Partridge, C., and J. Hughes, >> "Performance of checksums and CRC's over real data", IEEE/ >> ACM Trans. Netw. vol 6, num 5, pages 529-543, 1998, >> <http://dx.doi.org/10.1109/90.731187> >>> >>> In fact, there are several people who turn on cryptographic >> authentication only to detect errors that slip past OSPF's >> current checksum algo. I had posted a question on NANOG some >> time back and I had received a few responses where people >> said that they did what I have just described above. So, I >> don't think we should do checksum if we're already doing >> crypto authentication - I thinks its redundant and doesn't >> help in any way. >>> >>> There is also a draft motivated by this which was presented >> in the last IETF. >>> http://tools.ietf.org/html/draft-jakma-ospf-integrity-00 >>> >>> Cheers, Manav >>> >>>> -----Original Message----- >>>> From: Vishwas Manral [mailto:[email protected]] >>>> Sent: Wednesday, January 19, 2011 10.50 AM >>>> To: Bhatia, Manav (Manav) >>>> Cc: Rajesh Shetty; Acee Lindem; [email protected] >>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>> >>>> Hi Manav, >>>> >>>> I dont think you gain much by not calculating checksum. >>>> >>>> You gain a lot as any issues with the authentication algorithm like >>>> MD5, the checksum is another level of protection. >>>> >>>> Thanks, >>>> Vishwas >>>> >>>> On Tue, Jan 18, 2011 at 8:44 PM, Bhatia, Manav (Manav) >>>> <[email protected]> wrote: >>>>> Hi Rajesh, >>>>> >>>>> Yes, you are right. We should add text that says that >>>> checksum SHOULD not be computed and verified when an >>>> authentication trailer is attached to an OSPFv3 packet. >>>>> >>>>> Cheers, Manav >>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:[email protected]] On >>>>>> Behalf Of Rajesh Shetty >>>>>> Sent: Wednesday, January 19, 2011 10.09 AM >>>>>> To: 'Acee Lindem' >>>>>> Cc: [email protected] >>>>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>>>> >>>>>> >>>>>> Dear Acee, >>>>>> >>>>>> Just a discrepancy between ospfv2 and ospfv3: >>>>>> IN OSPFv2 cryptographic authentication, checksum filed is set >>>>>> to zero. IN >>>>>> OSPFv3 authentication Trailer, both cryptographic >>>> authentication and >>>>>> checksum are calculated. Checksum in OSPFv3 covers ipv6 >>>> pseudo header, >>>>>> entire ospf packet. Covering ospf packet might not be >>>>>> necessary in this >>>>>> scenario since cryptographic authentication already covers >>>> the same. >>>>>> >>>>>> >>>>>> Thanks >>>>>> Rajesh >>>>>> >>>>>> >>>>>> This e-mail and attachments contain confidential information >>>>>> from HUAWEI, >>>>>> which is intended only for the person or entity whose address >>>>>> is listed >>>>>> above. Any use of the information contained herein in any way >>>>>> (including, >>>>>> but not limited to, total or partial disclosure, >> reproduction, or >>>>>> dissemination) by persons other than the intended >> recipient's) is >>>>>> prohibited. If you receive this e-mail in error, please >>>>>> notify the sender by >>>>>> phone or email immediately and delete it! >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:[email protected]] On >>>>>> Behalf Of Acee >>>>>> Lindem >>>>>> Sent: Friday, January 07, 2011 8:39 PM >>>>>> To: Bhatia, Manav (Manav) >>>>>> Cc: [email protected]; Vishwas Manral >>>>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>>>> >>>>>> Actually I was just making sure everyone was paying attention >>>>>> :^) Since I'm >>>>>> an author, I'll validate with Abhay and Stewart but I think >>>>>> we can move >>>>>> forward and make this a WG document. >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Acee >>>>>> >>>>>> On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: >>>>>> >>>>>>> I am sure Acee meant that the he and the authors would like >>>>>> to see this >>>>>> draft adopted up as a WG draft. >>>>>>> >>>>>>> I agree with that sentiment and would request this to be >>>>>> accepted as a WG >>>>>> document. We've had several mails in the past where this work >>>>>> was supported >>>>>> and none that was against. >>>>>>> >>>>>>> Cheers, Manav >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Acee Lindem [mailto:[email protected]] >>>>>>>> Sent: Friday, January 07, 2011 2.11 AM >>>>>>>> To: [email protected] >>>>>>>> Cc: Bhatia, Manav (Manav); Vishwas Manral >>>>>>>> Subject: Supporting Authentication Trailer for OSPFv3 >>>>>>>> >>>>>>>> Speaking as WG Co-Chair: >>>>>>>> >>>>>>>> At the last OSPF WG meeting, there was some interest in this >>>>>>>> draft. I'm now asking for opinions for and against. >>>>>>>> >>>>>>>> Speaking as a WG member: >>>>>>>> >>>>>>>> The authors (myself included) would not like to make this a >>>>>>>> WG draft. On the OSPF list and at the OSPF WG meeting, the >>>>>>>> only dissent was on along the lines of making IPsec >>>>>>>> (including IKEv2) work better with OSPFv3 rather than doing >>>>>>>> this. I don't disagree that this should be a goal but I don't >>>>>>>> think it should preclude this work. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Acee >>>>>> >>>>>> _______________________________________________ >>>>>> OSPF mailing list >>>>>> [email protected] >>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>>> >>>>>> _______________________________________________ >>>>>> OSPF mailing list >>>>>> [email protected] >>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>>> >>>>> _______________________________________________ >>>>> OSPF mailing list >>>>> [email protected] >>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>> >>>> >> > _______________________________________________ > OSPF mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
