Using crypto auth for detecting corrupted IGP packets?

Manav Bhatia manavbhatia at gmail.com
Thu Sep 30 22:34:23 CDT 2010


Hi,

I believe, based on what i have heard,  that some operators turn on
cryptographic authentication because the internet checksum that OSPF,
etc use for packet sanity is quite weak and offers trifle little
protection against lot of known errors like:

- re-ordering of 2-byte aligned words
- various bit flips that keep the 1s complement sum the same (e.g.
0x0000 to 0xffff and vice versa)

So a corrupted packet could still pass the ethernet CRC checks and IP
and OSPF checksums. Or it could be valid till the ethernet CRC check
is done and gets corrupted after that (PCI transmission errors, DMA
errors, memory issues, line card corruption and last but not the
least, CRCs and internet checksums could miss wire-corrupted packets)

Currently an operator can do the following:

- Use the poor internet checksum OR

- Turn on cryptographic authentication in the routing protocols to
catch all such bit errors which could be caused by line card
corruption, etc.

One can go through http://portal.acm.org/citation.cfm?id=294357.294364
to understand the issues with the internet  checksums.

I would be interested in knowing if operators use the cryptographic
authentication for detecting the errors that i just described above.
You could send me a mail offline and i will consolidate the responses
and send a summary on the list in a few days time.

Cheers, Manav




More information about the NANOG mailing list