Hi Uma, On Nov 7, 2014, at 6:26 PM, Uma Chunduri <uma.chund...@ericsson.com> wrote:
> Hi Acee, > > Don't know about any incompatibilities in deployed implementations... > But this is a good change and as you said, it is compatible to 7166. Thanks for the endorsement. > > -- > Uma C. > > PS: > > Though off topic (and not specific to OSPF too), but lot of RPs are stuck to > this SHA/apad stuff > but ideally algorithms and their details SHOULD be totally agnostic to the > protocols. I think this would have been possible. However, we’ve already have gone in this direction. Thanks, Acee > > -----Original Message----- > From: OSPF [mailto:ospf-boun...@ietf.org] On Behalf Of Acee Lindem (acee) > Sent: Friday, November 07, 2014 12:50 PM > To: OSPF WG List > Subject: Re: [OSPF] Security Extension for OSPFv2 when using Manual Key > Management > > I guess everyone agree with this draft change? > Thanks, > Acee > > On 11/3/14, 12:57 PM, "Acee Lindem (acee)" <a...@cisco.com> wrote: > >> Are there any implementations of this draft? There is, what I consider, >> a mistake in the source address protection. I¹d like to make it >> consistent with RFC 7166. Rather than repeating the IP Source Address >> (L/4) times in Apad, it is included once the same as is done with the >> IPv6 address in RFC 7166. Does this cause anyone any incompatibilities >> with deployed implementations? >> >> OLD: >> OSPF routers sending OSPF packets must initialize Apad to the value >> of the IP source address that would be used when sending an OSPFv2 >> packet, repeated L/4 times, where L is the length of the hash, >> measured in octets. The basic idea is to incorporate the IP source >> address from the IP header in the cryptographic authentication >> computation so that any change of IP source address in a replayed >> packet can be detected. >> >> NEW: >> OSPF routers sending OSPF packets must initialize the first 4 octets >> of Apad to the value of the IP source address that would be used when >> sending the OSPFv2 packet. The remainder of Apad will contain >> the value of 0x878FE1F3 repeated (L - 4)/4 times, where L is the >> length of the hash, measured in octets. The basic idea is to >> incorporate the IP source address from the IP header in the >> cryptographic authentication computation so that any change of IP >> source address in a replayed packet can be detected. >> >> Thanks, >> >> Acee >> > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org https://www.ietf.org/mailman/listinfo/ospf
