[Xorp-hackers] OSPF auth...

Kristian Larsson kristian@juniks.net
Fri, 10 Mar 2006 14:50:46 +0100 

On Thu, Mar 09, 2006 at 04:09:09PM -0800, Pavlin Radoslavov wrote:
> > 
> > The configuration of authentication looks something like:
> >       NEW:
> >       authentication {
> >           simple-password: "FOO"
> >       }
> >       OR
> >       authentication {
> >           md5 1 {             /* KeyID: [0, 255] */
> >               password: "FOO"
> >               start-time: "YYYY-MM-DD.HH:MM"
> >               end-time: "YYYY-MM-DD.HH:MM"
> >           }
> >       }
> > 
> > Wouldn't it be nice to specify start and end-time for simple passwords too?
> > Say you are currently using simple auth and would
> > like to switch to md5, what better way than too
> > specify and end-tiem for the simple auth and at
> > the same time enable md5 authentication?
> 
> Good question!
> When I was updating the front-end authentication interface for RIP
> (and then porting it to OSPF), initially I considered adding start
> and end-time for simple passwords as well. However, at the end I
> decided not to do it for the following reasons:
> 
>  * In Juniper there is no start/end time for simple passwords.
>    In fact, they don't have even end-time for md5.
Well, this is not a juniper and we should only
pick the good parts from juniper and improve on
the bad ones.
> 
>  * To have the switchover working properly you need to have both
>    sides agree on some additional rules about when to start and stop
>    accepting or transmitting the new/old key(s). We need such rules
>    to cover cases like clocks that are not synchronized, etc.
>    Such rules do not exist (in RFC or a similar document) for
>    switching between a simple password and md5.
Of course, clocks would need to be synchronized
and this would be up to the operator of the
equipment. We use NTP on all our routers and with
OSPF hello timer of 10 seconds there is quite a
window in between in which you can switch key.
> 
>  * Even if we exclude the simple passwords from the picture, the
>    whole mechanism of gradually switching from one MD5 password
>    to another is a bit fuzzy with some holes (e.g., see Sections 4.2
>    and 4.3 in RFC 2082). No wonder the whole key switchover
>    mechanism is not used for RIPng.
Well, you have despite the fuzziness implemented
md5 key switchover so why not for simple auth?
> 
>  * The simple password mechanism is not secure at all so people
>    should be discouraged from using it :)
Yupp, it sure is. What I thought was that it would
be nice to help people transition from simple
auth. My previous employeer used simple
authentication due to old hardware that didn't
support ospf. All that old equipment had been
upgraded but the job of switching was deemed too
risky and too complex.


Regards,
Kristian