Hi Les, Robert and Alvaro,
Thanks for Les' proposed text. I'll update it accordingly.
B.R.
Bing
-----Original Message-----
From: Robert Sparks [mailto:rjsparks(_at_)nostrum(_dot_)com]
Sent: Tuesday, April 11, 2017 1:36 AM
To: Alvaro Retana (aretana); Les Ginsberg (ginsberg); Liubing (Leo);
gen-art(_at_)ietf(_dot_)org
Cc: draft-ietf-isis-auto-conf(_dot_)all(_at_)ietf(_dot_)org;
ietf(_at_)ietf(_dot_)org; isis-wg(_at_)ietf(_dot_)org
Subject: Re: Genart last call review of draft-ietf-isis-auto-conf-04
+1
On 4/10/17 1:32 PM, Alvaro Retana (aretana) wrote:
Works for me!
Thanks!
Alvaro.
On 4/10/17, 10:34 AM, "Les Ginsberg (ginsberg)"
<ginsberg(_at_)cisco(_dot_)com>
wrote:
Bing/Robert/Alvaro -
Here is the existing text of the Security Section:
"In general, the use of authentication is incompatible with auto-
configuration as it requires some manual configuration.
For wired deployment, the wired connection itself could be
considered
as an implicit authentication in that unwanted routers are usually
not able to connect (i.e. there is some kind of physical security in
place preventing the connection of rogue devices); for wireless
deployment, the authentication could be achieved at the lower
wireless link layer."
Proposed revision:
"In the absence of cryptographic authentication it is possible for an
attacker to inject a PDU falsely indicating there is a duplicate
system-id. This may trigger automatic restart of the protocol using the
duplicate-id resolution procedures defined in this document.
Note that the use of authentication is incompatible with auto-
configuration as it requires some manual configuration.
For wired deployment, the wired connection itself could be
considered
as an implicit authentication in that unwanted routers are usually
not able to connect (i.e. there is some kind of physical security in
place preventing the connection of rogue devices); for wireless
deployment, the authentication could be achieved at the lower
wireless link layer."
???