Authentication/Confidentiality for OSPFv2 draft-gupta-ospf-ospfv2-sec-00.txt - PowerPoint PPT Presentation

About This Presentation
Title:

Authentication/Confidentiality for OSPFv2 draft-gupta-ospf-ospfv2-sec-00.txt

Description:

Using IPsec to protect the OSPFv2 packets. Provides both ... 3DES-CBC and HMAC-SHA1 MUST for Encryption and Authentication. AES-CBC SHOULD for Encryption ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 11
Provided by: juni72
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Authentication/Confidentiality for OSPFv2 draft-gupta-ospf-ospfv2-sec-00.txt


1
Authentication/Confidentiality for OSPFv2
draft-gupta-ospf-ospfv2-sec-00.txt
  • Nagavenkata Suresh Melam
  • nmelam_at_juniper.net
  • Mukesh Gupta
  • mukesh.gupta_at_tropos.com

2
Draft
  • Using IPsec to protect the OSPFv2 packets
  • Provides both Authentication and Encryption
  • Based largely on the similar RFC 4552, written
    for OSPFv3

3
Quick Summary
  • Manual symmetric keys
  • Same keys in both directions
  • Each IP subnet MUST be configured with same
    keys
  • Should work with existing routers that also
    support IPsec

4
Details
  • Transport mode is MUST and Tunnel mode MAY be
    used
  • ESP is MUST and AH MAY be used
  • Encryption and Authentication algorithms
  • Reference to RFC 4305 that mandates different
    algorithms
  • 3DES-CBC and HMAC-SHA1 MUST for Encryption and
    Authentication
  • AES-CBC SHOULD for Encryption
  • HMAC-MD5 MAY for Authentication
  • Implementation MUST support multiple SPDs and a
    SPD selection function

5
Virtual Links
  • As the addresses are learned dynamically, rules
    need to be installed into SPD after learning the
    addresses
  • Different set of rules compared to rules
    configured on the IP subnets

6
Rekeying
  • Keys need to be changed periodically
  • Keyrollover procedure is specified in the
    document
  • Suggestions for Keyrollover interval

7
IPsec Rules
  • Authentication/Confidentiatlity disabled
  • Authentication/Confidentiality enabled

No Source Destination Protocol Action
1 any any OSPF bypass
2 intfPrefix any OSPF protect
3 intfPrefix any ESP/OSPF or AH/OSPF protect
4 src/32 dst/32 OSPF protect
5 src/32 dst/32 ESP/OSPF or AH/OSPF protect
8
Limitations
  • Manual Keying
  • No sequence number support
  • No protection against replay attacks
  • rpsec WG discusses the issues with replay attacks

9
Future
  • To resolve all the issues
  • An approach based on msec WG work
  • Derive the keys using GSAKMP ??

10
Thank You
Write a Comment
User Comments (0)
About PowerShow.com