Hi, I received 7 replies of which 3 stated that they were using crypto to only detect the issues that i have described in my email below. Another 3 said that they were using it for authentication and 1 person replied saying that they were using crypto for both authentication and integrity.
Folks who are using cryptographic authentication mechanisms only for integrity may want to look at http://www.ietf.org/id/draft-jakma-ospf-integrity-00.txt Cheers, Manav On Fri, Oct 1, 2010 at 9:04 AM, Manav Bhatia <manavbha...@gmail.com> wrote: > Hi, > > I believe, based on what i have heard, that some operators turn on > cryptographic authentication because the internet checksum that OSPF, > etc use for packet sanity is quite weak and offers trifle little > protection against lot of known errors like: > > - re-ordering of 2-byte aligned words > - various bit flips that keep the 1s complement sum the same (e.g. > 0x0000 to 0xffff and vice versa) > > So a corrupted packet could still pass the ethernet CRC checks and IP > and OSPF checksums. Or it could be valid till the ethernet CRC check > is done and gets corrupted after that (PCI transmission errors, DMA > errors, memory issues, line card corruption and last but not the > least, CRCs and internet checksums could miss wire-corrupted packets) > > Currently an operator can do the following: > > - Use the poor internet checksum OR > > - Turn on cryptographic authentication in the routing protocols to > catch all such bit errors which could be caused by line card > corruption, etc. > > One can go through http://portal.acm.org/citation.cfm?id=294357.294364 > to understand the issues with the internet checksums. > > I would be interested in knowing if operators use the cryptographic > authentication for detecting the errors that i just described above. > You could send me a mail offline and i will consolidate the responses > and send a summary on the list in a few days time. > > Cheers, Manav >
