Re: [RPSEC] Re: Using IPSec for Routing Protocols
Acee Lindem <acee@cisco.com> Thu, 04 May 2006 11:05 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbbeR-0002qT-Pr; Thu, 04 May 2006 07:05:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbbeR-0002qO-AK for rpsec@ietf.org; Thu, 04 May 2006 07:05:43 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FbbeR-0005Mb-1o for rpsec@ietf.org; Thu, 04 May 2006 07:05:43 -0400
Received: from rtp-core-1.cisco.com ([64.102.124.12]) by rtp-iport-1.cisco.com with ESMTP; 04 May 2006 04:05:43 -0700
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.05,87,1146466800"; d="scan'208"; a="27321380:sNHT23766176"
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k44B5eTL009966; Thu, 4 May 2006 07:05:42 -0400 (EDT)
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 May 2006 07:05:40 -0400
Received: from [10.82.209.92] ([10.82.209.92]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 May 2006 07:05:39 -0400
Message-ID: <4459E002.2050103@cisco.com>
Date: Thu, 04 May 2006 07:05:38 -0400
From: Acee Lindem <acee@cisco.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Sandhya Chawla <sandhya.chawla@yahoo.co.in>
Subject: Re: [RPSEC] Re: Using IPSec for Routing Protocols
References: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com>
In-Reply-To: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 04 May 2006 11:05:39.0768 (UTC) FILETIME=[ADAD7380:01C66F6A]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10ba05e7e8a9aa6adb025f426bef3a30
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
Sandhya, See inline. Sandhya Chawla wrote: >Hi Stephane, > >--- Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > > >>On Thu, May 04, 2006 at 05:15:21AM +0100, >> Sandhya Chawla <sandhya.chawla@yahoo.co.in> wrote >> a message of 50 lines which said: >> >> >> >>>Why are we working on providing security at each routing protocol >>>(application layer)? Why cant we simply use IPSEC for this? >>> >>> >>Wild guess from a non-expert: because IPsec only provides channel >>security, not data security. For instance, if I have a BGP connection >> >> > >We could use ESP will null encryption (null cipher). Using NULL as we really dont want to provide >any confidentiality. We only want to authenticate the sender and want to make sure that no one >mangles the packet in between. > > > >>with a peer, I can use IPsec and therefore be sure that the peer is >>really what it says it is. But what does it buy me when the peer >>announces a route? How can I be sure that he is entitled to announce >>this route? >> >> > >Yes, i understand the need for SO-BGP and S-BGP. What about the IGPs? We would perhaps not want to >go in for the complexity of issuing certificates, etc for IGPs. Would we? > > I would hope not. Though there have been experiments in this area. >If not, then why cant we simply use IPSEC to protect and auth my IGP data? > > There have been some challenges in using IPSec but the draft should be published soon. http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt Work is underway to provide the IPSec for OSPFv2 as well. Acee >I understand that IPSEC works best for, and is perhaps currently defined only for unicast traffic. >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)? > >Regards, >Sandhya > > > >>(Analogy: showing me your passport can convince me that you are indeed >>Sandhya Chawla. But it does not make any difference when you tell me >>that Om Prakash Chautala is an honest man or not: I still have to >>check the information.) >> >>For the same reason, IPsec does not make the DNS safer and we need >>DNSsec. >> >> >> > > > > >__________________________________________________________ >Yahoo! India Answers: Share what you know. Learn something new. >http://in.answers.yahoo.com > >_______________________________________________ >RPSEC mailing list >RPSEC@ietf.org >https://www1.ietf.org/mailman/listinfo/rpsec > > > _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Using IPSec for Routing Protocols Sandhya Chawla
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- [RPSEC] Re: Using IPSec for Routing Protocols Sandhya Chawla
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral