Hi Srini, Actually I am not sure if we dont want them to form an adjacency. I am paranoid about any solution that requires a flag day approach, where one day all routers get upgraded to support a new feature/extension. Given this, i can envisage a scenario when we will have a mix of these routers, with some boxes using AT and some that cant. I believe a CLI knob interop-non-AT-capable-router to control the behavior should be sufficient. The default, when its off, could be to reject any packet that does not carry the AT, if the new auth scheme is turned on. For backward compatibility, you could turn on that knob, that will do as suggested in the original text.
Please note that the AT bit has to be turned on if you want any router to inspect the AT as it will otherwise be unable to parse the incoming packet. Cheers, Manav ________________________________ From: Srinivasan K L [mailto:[email protected]] Sent: Thursday, January 20, 2011 9.42 AM To: Bhatia, Manav (Manav) Cc: [email protected] Subject: RE: [OSPF] AT Bit Hi Manav, While it is expected that routers that support AT and that do not support AT should not form adjacencies, that does not preclude the possibility that they may physically share the same network. The other routers may also running other protocols. My thought was just to ensure that these non-AT supporting routers are not affected/confused by the new extension. Regards, Srini. *************************************************************************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ________________________________ From: Bhatia, Manav (Manav) [mailto:[email protected]] Sent: Wednesday, January 19, 2011 9:08 PM To: Srinivasan K L; 'Acee Lindem' Cc: [email protected] Subject: RE: [OSPF] AT Bit Hi Srini, >From the earlier discussion it seems that we will never mix AT capable and >incapable routers. In such cases, the incapable router will never recieve an >OSPF packet carrying the authentication trailer. Cheers, Manav ________________________________ From: Srinivasan K L [mailto:[email protected]] Sent: Wednesday, January 19, 2011 7.31 PM To: 'Acee Lindem'; Bhatia, Manav (Manav) Cc: [email protected] Subject: RE: [OSPF] AT Bit Hi Manav, I agree with Acee. Having a router that does not implement AT on a network where other routers support AT will make that network vulnerable and defeat the purpose of the draft itself. So maybe the question of compatibility does not arise. It can be mandated that adjacencies should only be formed if the AT bit matches the authentication setting on the interface. Another problem: how can we ensure that a router that is incapable of processing AT work correctly when receiving a packet from a router that is sending both AT and LLS? In the current proposal, AT precedes LLS and so older implementation will start interpreting AT as LLS and can be confused. We may need to compromise consistency with OSPFv2 and recommend that AT should come after LLS. Regards, Srini. *************************************************************************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Acee Lindem Sent: Wednesday, January 19, 2011 6:57 PM To: Bhatia, Manav (Manav) Cc: [email protected] Subject: Re: [OSPF] AT Bit Hi Manav, Maybe I'm missing a key point but I think if you are using the new OSPFv3 authentication on a link then all routers on the network corresponding to that link need to support it in order to form adjacencies. Thanks, Acee On Jan 19, 2011, at 7:05 AM, Bhatia, Manav (Manav) wrote: Hi Acee, I think the idea behind this logic was for the purposes of backward compatibility. I agree that this is not right if *all* routers support the AT capability. However, if you have even one router that does not support this, then you would probably need this mechanism.How would an implementation, that is AT incapable, send an OSPFv3 + LLS block to a router, if the receiving end always implicitly assumes the presence of an authentication trailer? One could argue that if the AT router has turned ON authentication then it MUST only accept packets with the AT block, but then we are taking a giant leap of faith where we're assuming that ALL routers will simultaneously turn on the AT mechanism. If folks think that this opens a security hole, then vendors could add a knob that could toggle this behavior. By default, the knob could assume the presence of an authentication trailer if auth has been turned on. The second state would be where authentication trailer is assumed to be present only if the AT bit is set. If folks agree to this, then we could add a note about this in the next revision. Cheers, Manav ________________________________ From: Acee Lindem [mailto:[email protected]] Sent: Wednesday, January 19, 2011 4.34 PM To: Rajesh Shetty Cc: Bhatia, Manav (Manav); [email protected]<mailto:[email protected]> Subject: Re: [OSPF] AT Bit Hi Rajesh, You are correct. I thought that this was in the draft but see that it is not. Right, we should drop packets with the AT Bit clear when authentication is configured on the receiving side. OSPFv3 will drop packets not containing the options field (LS-Request, LS-Update, and Ack) if the adjacency is not in Exchange state or higher. Thanks, Acee On Jan 19, 2011, at 5:19 AM, Rajesh Shetty wrote: Dear All, AT Bit Definition: AT bit must be set in all ospfv3 protocol packets that contain an authentication trailer. On the receiving side authentication trailer is only examined if AT bit is set. Consider a scenario where authentication trailer draft is supported by all the routers and authentication is configured on receiving side but not on sending side. Even in this scenario receiving side will successfully accept the packet (Since AT bit is not set), this is a security threat. Please correct me if I am missing something. Thanks Rajesh This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Acee Lindem Sent: Friday, January 07, 2011 8:39 PM To: Bhatia, Manav (Manav) Cc: [email protected]<mailto:[email protected]>; Vishwas Manral Subject: Re: [OSPF] Supporting Authentication Trailer for OSPFv3 Actually I was just making sure everyone was paying attention :^) Since I'm an author, I'll validate with Abhay and Stewart but I think we can move forward and make this a WG document. Thanks, Acee On Jan 6, 2011, at 8:46 PM, Bhatia, Manav (Manav) wrote: > I am sure Acee meant that the he and the authors would like to see this draft > adopted up as a WG draft. > > I agree with that sentiment and would request this to be accepted as a WG > document. We've had several mails in the past where this work was supported > and none that was against. > > Cheers, Manav > >> -----Original Message----- >> From: Acee Lindem [mailto:[email protected]] >> Sent: Friday, January 07, 2011 2.11 AM >> To: [email protected]<mailto:[email protected]> >> Cc: Bhatia, Manav (Manav); Vishwas Manral >> Subject: Supporting Authentication Trailer for OSPFv3 >> >> Speaking as WG Co-Chair: >> >> At the last OSPF WG meeting, there was some interest in this >> draft. I'm now asking for opinions for and against. >> >> Speaking as a WG member: >> >> The authors (myself included) would not like to make this a >> WG draft. On the OSPF list and at the OSPF WG meeting, the >> only dissent was on along the lines of making IPsec >> (including IKEv2) work better with OSPFv3 rather than doing >> this. I don't disagree that this should be a goal but I don't >> think it should preclude this work. >> >> Thanks, >> Acee _______________________________________________ OSPF mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ospf
_______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
