On 01/19/2011 03:51 PM, Bhatia, Manav (Manav) wrote:
Hi Michael, The design was kept this way since this is how it is done in OSPFv2. Besides getting rid of IPsec the idea is also to bring OSPFv3 at par with OSPFv2 and we would like both the protocols to behave in a similar fashion. In v2, the Auth data precedes the LLS block and there is a separate TLV that carries authentication data for the LLS block. I think we should do the same for the sake of consistency between the two protocols.
OSPFv2 is the way it is because of the order in which features where introduced, in order to maintain backward compatibility, not because anyone thought this was the best way to authenticate LLS. I think we should not follow a precedence which is poor. IMHO the right way to do this for v3 is to have one authentication block for the OSPFv3 packet as well as the LLS block.
The other idea behind putting AT before LLS was that if we did it the other way round, then implementations would NOT be able to support AT till they had at least minimal code that could understand and parse the LLS block. We didn't want that to happen as chances of seeing nodes supporting AT over LLS are higher.
I have a hard time believing that is a real issue. If the AT followed the LLS block, it would be pretty trivial find the length of the LLS block and calculate the position of the AT.
I think we can include another subsection that defines a Cryptographic Authentication TLV for LLS that could be used for OSPFv3. Alternately, we could respin a one page draft that updates rfc 5613, and permits the existing crypto auth TLV to be used for OSPFv3 as well. I would personally prefer the latter approach as its cleaner to keep these things separate.
I respectfully disagree.
I don't think we should include the Session ID and Nonce here. That work will be done in KARP and it will take a looooooooong time before we finalize on a scheme that fixes OSPF authentication when using manual keying. Secondly, this draft is about bringing OSPFv3 auth at par with OSPFv2, since operators are using auth with v2 and are NOT doing it with v3. Implementing the AT draft is a matter of a few days, however, if you bring in the Session and the Nonce thing here, then we have already pushed it to a few years. I don't think we should wait for that long.
If the fields are including in the initial definition, even if unused then it will ease implementation later. Let's please at least reserve space for them in the AT.
Thanks, Michael
Cheers, Manav
_______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
