Re: [Lsr] [OSPFv2/v3] Regarding Authentication process during last key expiry or no active keys of key chain

Mon, 08 Mar 2021 00:44:28 -0800 

Hi Veeru,
        Is there a need to have the same behaviour? When we had to
implement it I remember we followed rule 1 for OSPFv3, but we
triggered a trap message before doing so.

Thanks & Regards,
Abhinay R

On Mon, Mar 8, 2021 at 9:00 AM Veerendranatha Reddy V
<veerendranatha.reddy.v=40ericsson....@dmarc.ietf.org> wrote:
>
> Hi All,
>
> As per OSPF authentication RFCs , during last key expired/inactive key  of 
> key chain the behavior of authentication process is different between 
> OSPFv2/v3
>
>
>
> For OSPFv2 from RFC 5709,
>
>       [ From Section 3.2]
>
>    Key storage SHOULD persist across a system restart, warm or cold, to
>
>    avoid operational issues.  In the event that the last key associated
>
>    with an interface expires, it is unacceptable to revert to an
>
>    unauthenticated condition, and not advisable to disrupt routing.
>
>    Therefore, the router should send a "last Authentication Key
>
>    expiration" notification to the network manager and treat the key as
>
>    having an infinite lifetime until the lifetime is extended, the key
>
>    is deleted by network management, or a new key is configured.
>
>
>
> For OSPFv3 from RFC7166,
>
>              [From  Section 3]
>
>       Key storage SHOULD persist across a system restart, warm or cold,
>
>       to avoid operational issues.  In the event that the last key
>
>       associated with an interface expires, the network operator SHOULD
>
>       be notified, and the OSPFv3 packet MUST NOT be transmitted
>
>       unauthenticated.
>
>
>
> For new implementation for these RFCs, I am requesting to provide the 
> suggested behavior.
>
> Sending side:
>
> Should not send the packet until valid key configured on key chain.
> Packet send without authentication.
> Packet send with the last expired authentication key.
>
>
>
> Receiving side:
>
> Ignore the packets until valid key configured on key chain.
> Accept the packets without authentication.
> Accept the packets matches  the last expired key.
>
>
>
>
>
> Thanks & Regards,
>
> Veerendranath
>
> _______________________________________________
> Lsr mailing list
> Lsr@ietf.org
> https://www.ietf.org/mailman/listinfo/lsr



-- 
~♥~♫AbHiNaY♫~♥~∞

_______________________________________________
Lsr mailing list
Lsr@ietf.org
https://www.ietf.org/mailman/listinfo/lsr

Reply via email to