Re: Genart last call review of draft-ietf-isis-auto-conf-04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+1


On 4/10/17 1:32 PM, Alvaro Retana (aretana) wrote:
Works for me!

Thanks!

Alvaro.





On 4/10/17, 10:34 AM, "Les Ginsberg (ginsberg)" <ginsberg@xxxxxxxxx> wrote:

Bing/Robert/Alvaro -

Here is the existing text of the Security Section:

   "In general, the use of authentication is incompatible with auto-
    configuration as it requires some manual configuration.

    For wired deployment, the wired connection itself could be considered
    as an implicit authentication in that unwanted routers are usually
    not able to connect (i.e. there is some kind of physical security in
    place preventing the connection of rogue devices); for wireless
    deployment, the authentication could be achieved at the lower
    wireless link layer."


Proposed revision:

"In the absence of cryptographic authentication it is possible for an attacker to inject  a PDU falsely indicating
there is a duplicate system-id. This may trigger automatic restart of the protocol using the duplicate-id
resolution procedures defined in this document.

Note that the use of authentication is incompatible with auto-
configuration as it requires some manual configuration.

    For wired deployment, the wired connection itself could be considered
    as an implicit authentication in that unwanted routers are usually
    not able to connect (i.e. there is some kind of physical security in
    place preventing the connection of rogue devices); for wireless
    deployment, the authentication could be achieved at the lower
    wireless link layer."

???








[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]