[Xorp-hackers] OSPF auth...

Pavlin Radoslavov pavlin@icir.org
Fri, 10 Mar 2006 19:56:13 -0800


> > >  * To have the switchover working properly you need to have both
> > >    sides agree on some additional rules about when to start and stop
> > >    accepting or transmitting the new/old key(s). We need such rules
> > >    to cover cases like clocks that are not synchronized, etc.
> > >    Such rules do not exist (in RFC or a similar document) for
> > >    switching between a simple password and md5.
> 
> Do start/end times affect accepting keys at all?

Yes. The keys are not used for transmitting or accepting packets
outside their lifetime.

> > Of course, clocks would need to be synchronized
> > and this would be up to the operator of the
> > equipment. We use NTP on all our routers and with
> > OSPF hello timer of 10 seconds there is quite a
> > window in between in which you can switch key.
> 
> I'd consider this kind of transition dangerous for my network and would 
> never use it.
> 
> Juniper has only start-time because there is no need for end-time. Start 
> time affects only sending of packets. All configured keys are accepted 
> for received packets regardless of start time.

This is different from the mechanism suggested by RFC 2082
(Section 4.3).

Pavlin

> Smooth switch of keys looks like this here:
> 
> 1) Configure new keys into routers with start time X in the future. X is 
> chosen so that you can safely add keys to all routers affected by key 
> switch.
> 2) Monitor affected parts of network closely at X. Doublecheck that all 
> works after X.
> 3) Remove old keys from all affected routers.