[Xorp-hackers] OSPF auth...
Pavlin Radoslavov
pavlin@icir.org
Thu, 09 Mar 2006 16:09:09 -0800
>
> The configuration of authentication looks something like:
> NEW:
> authentication {
> simple-password: "FOO"
> }
> OR
> authentication {
> md5 1 { /* KeyID: [0, 255] */
> password: "FOO"
> start-time: "YYYY-MM-DD.HH:MM"
> end-time: "YYYY-MM-DD.HH:MM"
> }
> }
>
> Wouldn't it be nice to specify start and end-time for simple passwords too?
> Say you are currently using simple auth and would
> like to switch to md5, what better way than too
> specify and end-tiem for the simple auth and at
> the same time enable md5 authentication?
Good question!
When I was updating the front-end authentication interface for RIP
(and then porting it to OSPF), initially I considered adding start
and end-time for simple passwords as well. However, at the end I
decided not to do it for the following reasons:
* In Juniper there is no start/end time for simple passwords.
In fact, they don't have even end-time for md5.
* To have the switchover working properly you need to have both
sides agree on some additional rules about when to start and stop
accepting or transmitting the new/old key(s). We need such rules
to cover cases like clocks that are not synchronized, etc.
Such rules do not exist (in RFC or a similar document) for
switching between a simple password and md5.
* Even if we exclude the simple passwords from the picture, the
whole mechanism of gradually switching from one MD5 password
to another is a bit fuzzy with some holes (e.g., see Sections 4.2
and 4.3 in RFC 2082). No wonder the whole key switchover
mechanism is not used for RIPng.
* The simple password mechanism is not secure at all so people
should be discouraged from using it :)
Pavlin