Tony,
Many thanks for amplifying my push to have AH a MUST. You point is
well taken and one I had not though of.
Best Regards,
Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Tony Hain
Sent: Thur
Brian,
Your question points up my entire problem with this document. If we
try to define the lowest common denominator for an IPv6
Capable/Complaint/Compatible device (note the lack of any real
nomenclature), we risk setting the expectation level at ground. As a
result, I question the need for t
Hi Tony,
You bring forward a very good point, I had raised the same issue about
3 years back in the IPsec list. There are now some drafts to add
support for the same in IPv6. The basic idea is that a middle-box(like
a firewall) should be able to identify a NULL encrypted packet.
I was however tol
Vishwas,
Fair enough, I was equating the LSA with the OSPFv2 message that
carried the LSA. In the case of cryptographic authentication, the
message digest is appended to the message. The point is that there is
the provision for computing a message digest over the entire
Actually, I believe tha
ESP == MUST && AH == MUST
There is a major problem with ESP/NULL & firewalls, so AH has to be there.
The crap about lack of an API as a reason to downgrade the requirement for
both of these is nothing more than a concession to IETF politics, where 'we
don't define APIs' was the mantra at the po
Mea culpa. I stand corrected on that particular point, and am glad FWIW that
RFC 4552 does in fact state:
"In order to provide authentication to OSPFv3, implementations MUST
> support ESP and MAY support AH."
Couldn't have written it better myself.
Best regards,
Tim Enos
Ps 84:10-12
>Subjec
I don't see why this would belong in a generic IPv6 node
requirement. It belongs in the OSPFv3 spec.
Brian
On 2008-03-07 08:57, Dunn, Jeffrey H. wrote:
> Vishwas and Tim,
>
> I would prefer to require one or the other. This is because a router
> implementing OSPFv3 MUST provide some means of
At Mon, 25 Feb 2008 15:34:13 -0500,
"Hemant Singh (shemant)" <[EMAIL PROTECTED]> wrote:
> We have recast our draft into an "IPv6 Subnet Model" draft. After
> discussing with Thomas Narten and Erik Nordmark it was felt that the
> IPv6 subnet model is really not explained anywhere in any existing IP
Vishwas and Tim,
I would prefer to require one or the other. This is because a router
implementing OSPFv3 MUST provide some means of authenticating messages.
The options are:
1. ESP-NULL: ESP without confidentiality and with integrity
2. ESP-ENC: ESP with confidentiality
3. AH: AH with integrity
Hi Jeff,
You are close but still not quite there.
OSPFv2 had some fields in all packets (LSA is not a packet but a
content in a packet) to send a Hash along with the packet for
authetication. It was not used in OSPFv3 because of the assumption
that all nodes will support ESP and the packets can a
Hi Tim,
You may have not read the OSPFv3 security RFC - RFC4552. It states clearly:
In order to provide authentication to OSPFv3, implementations MUST
support ESP and MAY support AH.
Thanks,
Vishwas
On Thu, Mar 6, 2008 at 9:49 AM, Tim Enos <[EMAIL PROTECTED]> wrote:
> I too would be in fa
I too would be in favor of a SHOULD for the AH requirement, with language
dedicated both to a specific example of where AH is arguably a MUST (e.g. for
nodes implementing OSPFv3), and other language which at least outlines where AH
is and is not applicable.
Best regards,
Tim Enos
Ps 84:10-12
I also suggest that the AH requirement be SHOULD, or even better MUST,
for nodes implementing OSPFv3, RFC 2740. This is based on the removal
of the authentication LSA from OSPFv3, which was done with the
expectation that AH would be mandatory. Thoughts?
Best Regards,
Jeffrey Dunn
Info Systems
13 matches
Mail list logo