Using crypto auth for detecting corrupted IGP packets?

Wed Oct 13 16:43:39 UTC 2010

Hi,

I received 7 replies of which 3 stated that they were using crypto to
only detect the issues that i have described in my email below.
Another 3 said that they were using it for authentication and 1 person
replied saying that they were using crypto for both authentication and
integrity.

Folks who are using cryptographic authentication mechanisms only for
integrity may want to look at
http://www.ietf.org/id/draft-jakma-ospf-integrity-00.txt

Cheers, Manav

On Fri, Oct 1, 2010 at 9:04 AM, Manav Bhatia <manavbhatia at gmail.com> wrote:
> Hi,
>
> I believe, based on what i have heard,  that some operators turn on
> cryptographic authentication because the internet checksum that OSPF,
> etc use for packet sanity is quite weak and offers trifle little
> protection against lot of known errors like:
>
> - re-ordering of 2-byte aligned words
> - various bit flips that keep the 1s complement sum the same (e.g.
> 0x0000 to 0xffff and vice versa)
>
> So a corrupted packet could still pass the ethernet CRC checks and IP
> and OSPF checksums. Or it could be valid till the ethernet CRC check
> is done and gets corrupted after that (PCI transmission errors, DMA
> errors, memory issues, line card corruption and last but not the
> least, CRCs and internet checksums could miss wire-corrupted packets)
>
> Currently an operator can do the following:
>
> - Use the poor internet checksum OR
>
> - Turn on cryptographic authentication in the routing protocols to
> catch all such bit errors which could be caused by line card
> corruption, etc.
>
> One can go through http://portal.acm.org/citation.cfm?id=294357.294364
> to understand the issues with the internet  checksums.
>
> I would be interested in knowing if operators use the cryptographic
> authentication for detecting the errors that i just described above.
> You could send me a mail offline and i will consolidate the responses
> and send a summary on the list in a few days time.
>
> Cheers, Manav
>