Re: [OSPF] AD review of draft-ietf-ospf-security-extension-manual-keying-08

[Acee Lindem (acee)]

Hi Alia,
Thanks for the review. See inline.

From: Alia Atlas <akat...@gmail.com<mailto:akat...@gmail.com>>
Date: Friday, October 3, 2014 at 3:52 PM
To: Ospf Chairs 
<ospf-cha...@tools.ietf.org<mailto:ospf-cha...@tools.ietf.org>>, 
"draft-ietf-ospf-security-extension-manual-key...@tools.ietf.org<mailto:draft-ietf-ospf-security-extension-manual-key...@tools.ietf.org>"
 
<draft-ietf-ospf-security-extension-manual-key...@tools.ietf.org<mailto:draft-ietf-ospf-security-extension-manual-key...@tools.ietf.org>>,
 Vishwas Manral <vishwas.i...@gmail.com<mailto:vishwas.i...@gmail.com>>, OSPF 
WG List <ospf@ietf.org<mailto:ospf@ietf.org>>
Subject: [OSPF] AD review of draft-ietf-ospf-security-extension-manual-keying-08

As I do with all drafts that are ready to progress, I have done my AD review of 
this
draft-ietf-ospf-security-extension-manual-keying-08.  In this case, I apologize 
for it taking so long.

The draft is very clear and well-written.  I do have a few comments, but I have 
sent it to IETF Last Call for review while we discuss.  Assuming that goes 
smoothly and comments (including mine below) are taken into account, I expect 
the draft to go to IESG telechat for Oct 30.

Major Comment:

My one concern is that in Section 3, it says:

"Additionally, the 64-bit sequence number is moved to the first 64-bits 
following the OSPFv2 packet and is protected by the authentication digest."

but I do not see any other place where RFC 5709 is updated to include that 
sequence number.  In Sec 3.3, RFC 5709 says:


   First-Hash = H(Ko XOR Ipad || (OSPFv2 Packet))


and I think it would be most excellent for this draft to clearly

update that to be (OSPFv2 Packet + Sequence Number).

With this draft, we attempted to avoid Stephen Farrell’s ire by not repeating 
the authentication algorithm as we have done when apply SHAx-HMAC 
authentication to each routing protocol. Note that RFC 5709 includes the 
statement:

  Implementation Notes:

          Note that the First-Hash above includes the Authentication
          Trailer containing the Apad value, as well as the OSPF packet,
          as per RFC 2328, Section D.4.3.

In section 5, we wukk add:

                          The 64-bit sequence number will be included in the 
First-Hash along with the Authentication
                           Trailer and OSPF packet (Refer to Section 3.3 in RFC 
5709).




Minor Comments:


Should the meta-data and header indicate that this updated RFC 5709?  It 
certainly looks like it.

I don’t feel strongly on this. However, this is a new type of OSPFv2 
cryptographic authentication and RFC 5709 authentication will continue to be 
supported by implementations that support it. So, one could argue that it 
updates RFC 2328 rather than RFC 5709. The whole issue of when to use the 
“Updates” would be a good topic for WG chair discussion.

Thanks,
Acee





Thanks for the hard work on a good draft to make routing more secure!


Alia


_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www.ietf.org/mailman/listinfo/ospf