Re: BGP-4+
Curtis Villamizar <curtis@ans.net> Fri, 20 December 1996 16:54 UTC
Received: from cnri by ietf.org id aa15239; 20 Dec 96 11:54 EST
Received: from merit.edu by CNRI.Reston.VA.US id aa14065; 20 Dec 96 11:54 EST
Received: (from daemon@localhost) by merit.edu (8.8.4/merit-2.0) id LAA29266
for idr-outgoing; Fri, 20 Dec 1996 11:25:00 -0500 (EST)
Received: from interlock.ans.net (interlock.ans.net [147.225.5.5]) by
merit.edu (8.8.4/merit-2.0) with SMTP id LAA29260 for <bgp@merit.edu>;
Fri, 20 Dec 1996 11:24:56 -0500 (EST)
Received: by interlock.ans.net id AA29051
(InterLock SMTP Gateway 3.0 for bgp@ans.net);
Fri, 20 Dec 1996 11:24:55 -0500
Received: by interlock.ans.net (Internal Mail Agent-1);
Fri, 20 Dec 1996 11:24:55 -0500
Message-Id: <199612201622.LAA28858@brookfield.ans.net>
To: "John W. Stewart III" <jstewart@metro.isi.edu>
Cc: Yakov Rekhter <yakov@cisco.com>, Susan Hares <skh@merit.edu>,
dkatz@cisco.com, bgp@ans.net
Reply-To: curtis@ans.net
Subject: Re: BGP-4+
In-Reply-To: Your message of "Wed, 18 Dec 1996 18:48:33 EST."
<199612182348.AA20876@metro.isi.edu>
Date: Fri, 20 Dec 1996 11:22:22 -0500
From: Curtis Villamizar <curtis@ans.net>
Sender: owner-idr@merit.edu
Precedence: bulk
In message <199612182348.AA20876@metro.isi.edu>du>, "John W. Stewart III" writes: > > > > 2) Security Considerations > > > > > > BGP-4++ is just as secure or un-secure as BGP-4. > > > > To be more precise the two new attributes do not alter > > BGP-4 security properties. > > > > > Is it your understanding that users need this security or is > > > TCP good enough? > > > > I would like to get a feedback from the WG on this question. > > at least one Popular Router Vendor has a feature for > enabling security for bgp. my understanding (correct > me if i'm wrong) is that this is done via crypto- > checksum of the underlying tcp connection .. which has > the nice result of protecting the bgp process as well > as the underlying tcp connection from SYN and RST > attacks (bgp-only security wouldn't protect the latter) The NSS did this back in 1992 with BGP3, the auth field, and an MD4 check in each BGP packet. Today we'd be more likely to use MD5. > if i were a provider, then i think this would be enough > for me right now That's fine. All we need now is a way to protect against RST. > idrp provides for its own transport, right? does that > include anything in the way of security? i ask to know > if any already-existing specs with alternatives exist > > /jws Use IDRP if you prefer. This reminds me of the "abandon Unix because Mach does X better" arguments. Nothing wrong with Unix taking the better ideas from Mach like copy on write VM semantics and leaving behind those things that didn't work out as well. Same with BGP. There is a lot of excess baggage that needs to be dumped from IDRP. It might be better to take the (few) better features of IDRP and respin BGP. In other words, IDRP is *not* BGP5. Curtis
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Susan Hares
- Re: BGP-4+ Susan Hares
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Brandon Black
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Dorian R. Kim
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Tony Bates
- BGP-4+ Dave Katz
- Re: BGP-4+ Dimitry Haskin
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Brad Smith
- Re: BGP-4+ Dorian R. Kim
- Re: BGP-4+ bmanning
- Re: BGP-4+ Tony Li
- Re: BGP-4+ Brad Smith
- Re: BGP-4+ Dorian R. Kim
- Re: BGP-4+ Brad Smith
- Re: BGP-4+ Curtis Villamizar
- Re: BGP-4+ Curtis Villamizar
- Re: BGP-4+ Curtis Villamizar
- Re: BGP-4+ Curtis Villamizar
- Re: BGP-4+ Dennis Ferguson
- Re: BGP-4+ Brandon Black
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Dennis Ferguson
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ John W. Stewart III
- Re: BGP-4+ Yakov Rekhter
- Re: BGP-4+ Geert Jan de Groot
- Re: BGP-4+ Brad Smith
- Re: BGP-4+ [QOS et al] John G. Scudder
- Re: BGP-4+ Paul Traina