Hi Acee, Good analogy, it was really innovative and very close to the example I mentioned.
In our case however it may be like having different layers of security. In the opsec WG I recently got this comment, equating it to multiple layers of diapers. http://www.ietf.org/mail-archive/web/opsec/current/msg00794.html Manav, I am not surprised by what you have said. http://marc.info/?l=ietf-saag&m=115562329103154&w=1 is a draft I wrote nearly 5 years back and got some comments which are similar to yours, but I do not agree with them to be true. Thanks, Vishwas On Wed, Jan 19, 2011 at 3:07 AM, Acee Lindem <[email protected]> wrote: > Hi Manav, Vishwas, > I agree with Manav. If you wash your hands once with soap, washing your them > again with only water doesn't necessarily get your hands any cleaner - but it > does, nevertheless, waste water. > Thanks, > Acee > On Jan 19, 2011, at 1:11 AM, Bhatia, Manav (Manav) wrote: > >> Strange as it may sound but one could actually argue that the probability of >> finding collisions, assuming a constant checksum in a packet, will be the >> same as not having any checksum to consider. There is imo a very little gain >> that one gets by verifying the checksum if the hash (sha-1, etc) has been >> verified - which is also why I believe most protocols ignore the checksum >> value when using some auth scheme. >> >> Cheers, Manav >> >>> -----Original Message----- >>> From: Vishwas Manral [mailto:[email protected]] >>> Sent: Wednesday, January 19, 2011 11.26 AM >>> To: Bhatia, Manav (Manav) >>> Cc: Rajesh Shetty; Acee Lindem; [email protected] >>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>> >>> Hi Manav, >>> >>> I am sure errors can creep past CRC32 algorithms. What I am saying is >>> by still having it, it provides anotehr level of security. >>> >>> Thanks, >>> Vishwas >>> >>> On Tue, Jan 18, 2011 at 9:52 PM, Bhatia, Manav (Manav) >>> <[email protected]> wrote: >>>> Hi Vishwas, >>>> >>>> I think computing the checksum when we're already computing >>> the hash is redundant. There are lot of errors that can slip >>> past the internet protocol checksum that currently exists and >>> a lot of work has been done describing this. One such, wildly >>> referred paper is this: >>>> >>>> Stone, J., Greenwald, M., Partridge, C., and J. Hughes, >>> "Performance of checksums and CRC's over real data", IEEE/ >>> ACM Trans. Netw. vol 6, num 5, pages 529-543, 1998, >>> <http://dx.doi.org/10.1109/90.731187> >>>> >>>> In fact, there are several people who turn on cryptographic >>> authentication only to detect errors that slip past OSPF's >>> current checksum algo. I had posted a question on NANOG some >>> time back and I had received a few responses where people >>> said that they did what I have just described above. So, I >>> don't think we should do checksum if we're already doing >>> crypto authentication - I thinks its redundant and doesn't >>> help in any way. >>>> >>>> There is also a draft motivated by this which was presented >>> in the last IETF. >>>> http://tools.ietf.org/html/draft-jakma-ospf-integrity-00 >>>> >>>> Cheers, Manav >>>> >>>>> -----Original Message----- >>>>> From: Vishwas Manral [mailto:[email protected]] >>>>> Sent: Wednesday, January 19, 2011 10.50 AM >>>>> To: Bhatia, Manav (Manav) >>>>> Cc: Rajesh Shetty; Acee Lindem; [email protected] >>>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>>> >>>>> Hi Manav, >>>>> >>>>> I dont think you gain much by not calculating checksum. >>>>> >>>>> You gain a lot as any issues with the authentication algorithm like >>>>> MD5, the checksum is another level of protection. >>>>> >>>>> Thanks, >>>>> Vishwas >>>>> >>>>> On Tue, Jan 18, 2011 at 8:44 PM, Bhatia, Manav (Manav) >>>>> <[email protected]> wrote: >>>>>> Hi Rajesh, >>>>>> >>>>>> Yes, you are right. We should add text that says that >>>>> checksum SHOULD not be computed and verified when an >>>>> authentication trailer is attached to an OSPFv3 packet. >>>>>> >>>>>> Cheers, Manav >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] [mailto:[email protected]] On >>>>>>> Behalf Of Rajesh Shetty >>>>>>> Sent: Wednesday, January 19, 2011 10.09 AM >>>>>>> To: 'Acee Lindem' >>>>>>> Cc: [email protected] >>>>>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>>>>> >>>>>>> >>>>>>> Dear Acee, >>>>>>> >>>>>>> Just a discrepancy between ospfv2 and ospfv3: >>>>>>> IN OSPFv2 cryptographic authentication, checksum filed is set >>>>>>> to zero. IN >>>>>>> OSPFv3 authentication Trailer, both cryptographic >>>>> authentication and >>>>>>> checksum are calculated. Checksum in OSPFv3 covers ipv6 >>>>> pseudo header, >>>>>>> entire ospf packet. Covering ospf packet might not be >>>>>>> necessary in this >>>>>>> scenario since cryptographic authentication already covers >>>>> the same. >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> Rajesh >>>>>>> >>>>>>> >>>>>>> This e-mail and attachments contain confidential information >>>>>>> from HUAWEI, >>>>>>> which is intended only for the person or entity whose address >>>>>>> is listed >>>>>>> above. Any use of the information contained herein in any way >>>>>>> (including, >>>>>>> but not limited to, total or partial disclosure, >>> reproduction, or >>>>>>> dissemination) by persons other than the intended >>> recipient's) is >>>>>>> prohibited. If you receive this e-mail in error, please >>>>>>> notify the sender by >>>>>>> phone or email immediately and delete it! >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] [mailto:[email protected]] On >>>>>>> Behalf Of Acee >>>>>>> Lindem >>>>>>> Sent: Friday, January 07, 2011 8:39 PM >>>>>>> To: Bhatia, Manav (Manav) >>>>>>> Cc: [email protected]; Vishwas Manral >>>>>>> Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 >>>>>>> >>>>>>> Actually I was just making sure everyone was paying attention >>>>>>> :^) Since I'm >>>>>>> an author, I'll validate with Abhay and Stewart but I think >>>>>>> we can move >>>>>>> forward and make this a WG document. >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Acee >>>>>>> >>>>>>> On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: >>>>>>> >>>>>>>> I am sure Acee meant that the he and the authors would like >>>>>>> to see this >>>>>>> draft adopted up as a WG draft. >>>>>>>> >>>>>>>> I agree with that sentiment and would request this to be >>>>>>> accepted as a WG >>>>>>> document. We've had several mails in the past where this work >>>>>>> was supported >>>>>>> and none that was against. >>>>>>>> >>>>>>>> Cheers, Manav >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Acee Lindem [mailto:[email protected]] >>>>>>>>> Sent: Friday, January 07, 2011 2.11 AM >>>>>>>>> To: [email protected] >>>>>>>>> Cc: Bhatia, Manav (Manav); Vishwas Manral >>>>>>>>> Subject: Supporting Authentication Trailer for OSPFv3 >>>>>>>>> >>>>>>>>> Speaking as WG Co-Chair: >>>>>>>>> >>>>>>>>> At the last OSPF WG meeting, there was some interest in this >>>>>>>>> draft. I'm now asking for opinions for and against. >>>>>>>>> >>>>>>>>> Speaking as a WG member: >>>>>>>>> >>>>>>>>> The authors (myself included) would not like to make this a >>>>>>>>> WG draft. On the OSPF list and at the OSPF WG meeting, the >>>>>>>>> only dissent was on along the lines of making IPsec >>>>>>>>> (including IKEv2) work better with OSPFv3 rather than doing >>>>>>>>> this. I don't disagree that this should be a goal but I don't >>>>>>>>> think it should preclude this work. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Acee >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OSPF mailing list >>>>>>> [email protected] >>>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>>>> >>>>>>> _______________________________________________ >>>>>>> OSPF mailing list >>>>>>> [email protected] >>>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>>>> >>>>>> _______________________________________________ >>>>>> OSPF mailing list >>>>>> [email protected] >>>>>> https://www.ietf.org/mailman/listinfo/ospf >>>>>> >>>>> >>> >> _______________________________________________ >> OSPF mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ospf > > _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
