[Xorp-hackers] OSPF auth...

Pavlin Radoslavov pavlin@icir.org
Thu, 09 Mar 2006 16:09:09 -0800 

> 
> The configuration of authentication looks something like:
>       NEW:
>       authentication {
>           simple-password: "FOO"
>       }
>       OR
>       authentication {
>           md5 1 {             /* KeyID: [0, 255] */
>               password: "FOO"
>               start-time: "YYYY-MM-DD.HH:MM"
>               end-time: "YYYY-MM-DD.HH:MM"
>           }
>       }
> 
> Wouldn't it be nice to specify start and end-time for simple passwords too?
> Say you are currently using simple auth and would
> like to switch to md5, what better way than too
> specify and end-tiem for the simple auth and at
> the same time enable md5 authentication?

Good question!
When I was updating the front-end authentication interface for RIP
(and then porting it to OSPF), initially I considered adding start
and end-time for simple passwords as well. However, at the end I
decided not to do it for the following reasons:

 * In Juniper there is no start/end time for simple passwords.
   In fact, they don't have even end-time for md5.

 * To have the switchover working properly you need to have both
   sides agree on some additional rules about when to start and stop
   accepting or transmitting the new/old key(s). We need such rules
   to cover cases like clocks that are not synchronized, etc.
   Such rules do not exist (in RFC or a similar document) for
   switching between a simple password and md5.

 * Even if we exclude the simple passwords from the picture, the
   whole mechanism of gradually switching from one MD5 password
   to another is a bit fuzzy with some holes (e.g., see Sections 4.2
   and 4.3 in RFC 2082). No wonder the whole key switchover
   mechanism is not used for RIPng.

 * The simple password mechanism is not secure at all so people
   should be discouraged from using it :)

Pavlin