OSPF%20WG - PowerPoint PPT Presentation

About This Presentation
Title:

OSPF%20WG

Description:

... not want to change the OSPF spec each time a cryptographically stronger algorithm is suggested. ... With time the number of algorithms to support will ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 9
Provided by: vishwas9
Learn more at: https://www.ietf.org
Category:
Tags: 20wg | ospf | change | time

less

Transcript and Presenter's Notes

Title: OSPF%20WG


1
OSPF WG
  • Cryptographic Algorithm Implementation
    Requirements for OSPF
  • draft-bhatia-manral-crypto-req-ospf-00.txt
  • Vishwas Manral, IPInfusion
  • Manav Bhatia, Lucent Technologies
  • IETF 67, San Diego, USA

2
Different OSPF Auth Schemes
  • NULL, Simple and Cryptographic
  • Recent Reports of attacks on collision resistance
    properties of MD5 and SHA-1
  • Cryptographically stronger algorithms have been
    proposed in the WG (HMAC-SHA-1, etc)

3
New Algorithms keep coming ..
  • In Cryptography new algorithms surface
    continuously and existing one are continuously
    attacked ..
  • Thus the choice of mandatory-to-implement
    algorithms should be conservative to minimize the
    likelihood of OSPF being compromised.
  • Would not want to change the OSPF spec each time
    a cryptographically stronger algorithm is
    suggested.
  • Eg., DES in the older IPsec RFC was a MUST but
    now has become a SHOULD NOT. Same goes with MD5
    in the IPsec space.

4
Interoperability Issues
  • There should be a document that tells which
    algorithms to support and which not for minimum
    interoperability.
  • With time the number of algorithms to support
    will increase and we need a minimum set of
    algorithms as well as their current state of
    support documented
  • The document would specify the MUST/ MAY/ SHOULD/
    SHOULD NOT for algorithms that are to be
    supported
  • This would be a running document that can be
    changed as and when newer algorithms come and the
    older ones get deprecated
  • For IPsec the algorithms supported in RFC2401 and
    the ones in RFC4305 have changed. In fact some
    MUST have become SHOULD NOT etc.

5
Additional RFC 2119 terms
  • SHOULD Same as SHOULD. However, it is likely
    that an algorithm marked as SHOULD will be
    promoted at some future time to be a MUST.
  • MUST- Same as MUST for now. However, its expected
    that at some point in future this algorithm will
    no longer be a MUST
  • MAY - Same as MAY for now. However, its expected
    that this algorithm may get promoted at some
    future time to be a SHOULD.

6
Auth Scheme Selection when Security is required
  • Old RFC New
  • Req Requirement
    Authentication Scheme
  • ------ -------- ------------------
    --------------------------------
  • MUST 2328 SHOULD NOT Null
    Authentication (1)
  • MUST 2328 SHOULD NOT Simple
    Password (2)
  • MUST 2328 MUST
    Cryptographic Auth
  • NULL auth cannot be used if operator requires
    network security.
  • Used mostly to avoid accidental introduction of
    router in a domain. Not useful if security is
    required

7
Authentication Algo Selection
Old Old New Req RFC
Requirement Authentication
Algorithm ------ --------
------------------ -------------------------
------- MUST 2328 MUST-
Keyed MD5 - -
SHOULD HMAC-SHA-1 -
- MAY
HMAC-SHA-256/
HMAC-SHA-384/

HMAC-SHA-512 Bhatia, M., Manral, V., White,
R. and Barnes, M.," OSPF HMAC Cryptographic
Authentication, Work in Progress
8
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "OSPF%20WG" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!