Hi, I received 7 replies of which 3 stated that they were using crypto to only detect the issues that i have described in my email below. Another 3 said that they were using it for authentication and 1 person replied saying that they were using crypto for both authentication and integrity. Folks who are using cryptographic authentication mechanisms only for integrity may want to look at http://www.ietf.org/id/draft-jakma-ospf-integrity-00.txt Cheers, Manav On Fri, Oct 1, 2010 at 9:04 AM, Manav Bhatia <manavbhatia@gmail.com> wrote:
Hi,
I believe, based on what i have heard, that some operators turn on cryptographic authentication because the internet checksum that OSPF, etc use for packet sanity is quite weak and offers trifle little protection against lot of known errors like:
- re-ordering of 2-byte aligned words - various bit flips that keep the 1s complement sum the same (e.g. 0x0000 to 0xffff and vice versa)
So a corrupted packet could still pass the ethernet CRC checks and IP and OSPF checksums. Or it could be valid till the ethernet CRC check is done and gets corrupted after that (PCI transmission errors, DMA errors, memory issues, line card corruption and last but not the least, CRCs and internet checksums could miss wire-corrupted packets)
Currently an operator can do the following:
- Use the poor internet checksum OR
- Turn on cryptographic authentication in the routing protocols to catch all such bit errors which could be caused by line card corruption, etc.
One can go through http://portal.acm.org/citation.cfm?id=294357.294364 to understand the issues with the internet checksums.
I would be interested in knowing if operators use the cryptographic authentication for detecting the errors that i just described above. You could send me a mail offline and i will consolidate the responses and send a summary on the list in a few days time.
Cheers, Manav