Hi Acee, Don't know about any incompatibilities in deployed implementations... But this is a good change and as you said, it is compatible to 7166.
-- Uma C. PS: Though off topic (and not specific to OSPF too), but lot of RPs are stuck to this SHA/apad stuff but ideally algorithms and their details SHOULD be totally agnostic to the protocols. -----Original Message----- From: OSPF [mailto:ospf-boun...@ietf.org] On Behalf Of Acee Lindem (acee) Sent: Friday, November 07, 2014 12:50 PM To: OSPF WG List Subject: Re: [OSPF] Security Extension for OSPFv2 when using Manual Key Management I guess everyone agree with this draft change? Thanks, Acee On 11/3/14, 12:57 PM, "Acee Lindem (acee)" <a...@cisco.com> wrote: >Are there any implementations of this draft? There is, what I consider, >a mistake in the source address protection. I¹d like to make it >consistent with RFC 7166. Rather than repeating the IP Source Address >(L/4) times in Apad, it is included once the same as is done with the >IPv6 address in RFC 7166. Does this cause anyone any incompatibilities >with deployed implementations? > > OLD: > OSPF routers sending OSPF packets must initialize Apad to the value > of the IP source address that would be used when sending an OSPFv2 > packet, repeated L/4 times, where L is the length of the hash, > measured in octets. The basic idea is to incorporate the IP source > address from the IP header in the cryptographic authentication > computation so that any change of IP source address in a replayed > packet can be detected. > > NEW: > OSPF routers sending OSPF packets must initialize the first 4 octets > of Apad to the value of the IP source address that would be used when > sending the OSPFv2 packet. The remainder of Apad will contain > the value of 0x878FE1F3 repeated (L - 4)/4 times, where L is the > length of the hash, measured in octets. The basic idea is to > incorporate the IP source address from the IP header in the > cryptographic authentication computation so that any change of IP > source address in a replayed packet can be detected. > >Thanks, > >Acee > _______________________________________________ OSPF mailing list OSPF@ietf.org https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org https://www.ietf.org/mailman/listinfo/ospf
