IETF Logo Mail Archive

Re: [RPSEC] Re: Using IPSec for Routing Protocols

"Vishwas Manral" <vishwas.ietf@gmail.com> Thu, 04 May 2006 12:25 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbctR-0003x3-Om; Thu, 04 May 2006 08:25:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbctR-0003wy-8r for rpsec@ietf.org; Thu, 04 May 2006 08:25:17 -0400
Received: from wx-out-0102.google.com ([66.249.82.206]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FbctQ-0008HV-Rz for rpsec@ietf.org; Thu, 04 May 2006 08:25:17 -0400
Received: by wx-out-0102.google.com with SMTP id s12so328341wxc for <rpsec@ietf.org>; Thu, 04 May 2006 05:25:16 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=k9wkGv7OfktMwI+t8d9GXL4kDYdTlGlg1ZujdQmzm/zsQfOAopWb4IdnEQBoTi78sBdB8HLnlvMvMTd+M4I4lpgn1EpoHLpQy+XXij/noMQNyncmdKq5jj431FdDU9A+apc6b13bu2ZkuhifW5wMV+0Y/NY4SK2J6wv1elf/+A8=
Received: by 10.70.34.3 with SMTP id h3mr574116wxh; Thu, 04 May 2006 05:25:16 -0700 (PDT)
Received: by 10.70.8.12 with HTTP; Thu, 4 May 2006 05:25:16 -0700 (PDT)
Message-ID: <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com>
Date: Thu, 04 May 2006 05:25:16 -0700
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Acee Lindem <acee@cisco.com>
Subject: Re: [RPSEC] Re: Using IPSec for Routing Protocols
In-Reply-To: <4459E002.2050103@cisco.com>
MIME-Version: 1.0
References: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com> <4459E002.2050103@cisco.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 88b11fc64c1bfdb4425294ef5374ca07
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1483611673=="
Errors-To: rpsec-bounces@ietf.org

Hi Acee,

One reason we do not use IPsec is that we do not support multicast well in
IPsec. I think the way it is used in OSPFv3 is itself a hack. Also in the
end of it we are still using manual keying as well as only authentication so
still the same as for the rpotocols.

Stephen Kent would probably have the details of it.

Thanks,
Vishwas


On 5/4/06, Acee Lindem <acee@cisco.com> wrote:
>
> Sandhya,
> See inline.
> Sandhya Chawla wrote:
>
> >Hi Stephane,
> >
> >--- Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> >
> >
> >
> >>On Thu, May 04, 2006 at 05:15:21AM +0100,
> >> Sandhya Chawla <sandhya.chawla@yahoo.co.in> wrote
> >> a message of 50 lines which said:
> >>
> >>
> >>
> >>>Why are we working on providing security at each routing protocol
> >>>(application layer)? Why cant we simply use IPSEC for this?
> >>>
> >>>
> >>Wild guess from a non-expert: because IPsec only provides channel
> >>security, not data security. For instance, if I have a BGP connection
> >>
> >>
> >
> >We could use ESP will null encryption (null cipher). Using NULL as we
> really dont want to provide
> >any confidentiality. We only want to authenticate the sender and want to
> make sure that no one
> >mangles the packet in between.
> >
> >
> >
> >>with a peer, I can use IPsec and therefore be sure that the peer is
> >>really what it says it is. But what does it buy me when the peer
> >>announces a route? How can I be sure that he is entitled to announce
> >>this route?
> >>
> >>
> >
> >Yes, i understand the need for SO-BGP and S-BGP. What about the IGPs? We
> would perhaps not want to
> >go in for the complexity of issuing certificates, etc for IGPs. Would we?
> >
> >
> I would hope not. Though there have been experiments in this area.
>
> >If not, then why cant we simply use IPSEC to protect and auth my IGP
> data?
> >
> >
> There have been some challenges in using IPSec but the draft should be
> published soon.
>
> http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt
>
> Work is underway to provide the IPSec for OSPFv2 as well.
>
> Acee
>
> >I understand that IPSEC works best for, and is perhaps currently defined
> only for unicast traffic.
> >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)?
> >
> >Regards,
> >Sandhya
> >
> >
> >
> >>(Analogy: showing me your passport can convince me that you are indeed
> >>Sandhya Chawla. But it does not make any difference when you tell me
> >>that Om Prakash Chautala is an honest man or not: I still have to
> >>check the information.)
> >>
> >>For the same reason, IPsec does not make the DNS safer and we need
> >>DNSsec.
> >>
> >>
> >>
> >
> >
> >
> >
> >__________________________________________________________
> >Yahoo! India Answers: Share what you know. Learn something new.
> >http://in.answers.yahoo.com
> >
> >_______________________________________________
> >RPSEC mailing list
> >RPSEC@ietf.org
> >https://www1.ietf.org/mailman/listinfo/rpsec
> >
> >
> >
>
> _______________________________________________
> RPSEC mailing list
> RPSEC@ietf.org
> https://www1.ietf.org/mailman/listinfo/rpsec
>

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email