Re: [RPSEC] Re: Using IPSec for Routing Protocols
Lakshminath Dondeti <ldondeti@qualcomm.com> Thu, 04 May 2006 18:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbipE-0004KU-He; Thu, 04 May 2006 14:45:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbipD-0004KB-Ub for rpsec@ietf.org; Thu, 04 May 2006 14:45:19 -0400
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FbipD-0000OJ-6A for rpsec@ietf.org; Thu, 04 May 2006 14:45:19 -0400
Received: from crowley.qualcomm.com (crowley.qualcomm.com [129.46.61.151]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k44Ig7ho017623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 4 May 2006 11:42:07 -0700
Received: from LDONDETI.qualcomm.com (ldondeti.na.qualcomm.com [129.46.173.20]) by crowley.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k44Ig6Ae022734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 4 May 2006 11:42:06 -0700 (PDT)
Message-Id: <6.2.5.6.2.20060504114102.057e9f98@qualcomm.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Thu, 04 May 2006 11:42:01 -0700
To: Vishwas Manral <vishwas.ietf@gmail.com>, Acee Lindem <acee@cisco.com>
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [RPSEC] Re: Using IPSec for Routing Protocols
In-Reply-To: <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com >
References: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com> <4459E002.2050103@cisco.com> <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2beba50d0fcdeee5f091c59f204d4365
Cc: rpsec@ietf.org, msec@securemulticast.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
At 05:25 AM 5/4/2006, Vishwas Manral wrote: >Hi Acee, > >One reason we do not use IPsec is that we do not support multicast >well in IPsec. This is news to me and probably to many folks in MSEC. Please take a look at the work underway in that group. regards, Lakshminath > I think the way it is used in OSPFv3 is itself a hack. Also in the > end of it we are still using manual keying as well as only > authentication so still the same as for the rpotocols. > >Stephen Kent would probably have the details of it. > >Thanks, >Vishwas > > >On 5/4/06, Acee Lindem <<mailto:acee@cisco.com>acee@cisco.com> wrote: >Sandhya, >See inline. >Sandhya Chawla wrote: > > >Hi Stephane, > > > >--- Stephane Bortzmeyer < > <mailto:bortzmeyer@nic.fr>bortzmeyer@nic.fr> wrote: > > > > > > > >>On Thu, May 04, 2006 at 05:15:21AM +0100, > >> Sandhya Chawla > <<mailto:sandhya.chawla@yahoo.co.in>sandhya.chawla@yahoo.co.in > wrote > >> a message of 50 lines which said: > >> > >> > >> > >>>Why are we working on providing security at each routing protocol > >>>(application layer)? Why cant we simply use IPSEC for this? > >>> > >>> > >>Wild guess from a non-expert: because IPsec only provides channel > >>security, not data security. For instance, if I have a BGP connection > >> > >> > > > >We could use ESP will null encryption (null cipher). Using NULL as > we really dont want to provide > >any confidentiality. We only want to authenticate the sender and > want to make sure that no one > >mangles the packet in between. > > > > > > > >>with a peer, I can use IPsec and therefore be sure that the peer is > >>really what it says it is. But what does it buy me when the peer > >>announces a route? How can I be sure that he is entitled to announce > >>this route? > >> > >> > > > >Yes, i understand the need for SO-BGP and S-BGP. What about the > IGPs? We would perhaps not want to > >go in for the complexity of issuing certificates, etc for IGPs. Would we? > > > > >I would hope not. Though there have been experiments in this area. > > >If not, then why cant we simply use IPSEC to protect and auth my IGP data? > > > > >There have been some challenges in using IPSec but the draft should be >published soon. > ><http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt>http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt > >Work is underway to provide the IPSec for OSPFv2 as well. > >Acee > > >I understand that IPSEC works best for, and is perhaps currently > defined only for unicast traffic. > >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)? > > > >Regards, > >Sandhya > > > > > > > >>(Analogy: showing me your passport can convince me that you are indeed > >>Sandhya Chawla. But it does not make any difference when you tell me > >>that Om Prakash Chautala is an honest man or not: I still have to > >>check the information.) > >> > >>For the same reason, IPsec does not make the DNS safer and we need > >>DNSsec. > >> > >> > >> > > > > > > > > > >__________________________________________________________ > >Yahoo! India Answers: Share what you know. Learn something new. > ><http://in.answers.yahoo.com>http://in.answers.yahoo.com > > > >_______________________________________________ > >RPSEC mailing list > ><mailto:RPSEC@ietf.org>RPSEC@ietf.org > >https://www1.ietf.org/mailman/listinfo/rpsec > > > > > > > >_______________________________________________ >RPSEC mailing list ><mailto:RPSEC@ietf.org>RPSEC@ietf.org >https://www1.ietf.org/mailman/listinfo/rpsec > > >_______________________________________________ >RPSEC mailing list >RPSEC@ietf.org >https://www1.ietf.org/mailman/listinfo/rpsec _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Using IPSec for Routing Protocols Sandhya Chawla
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- [RPSEC] Re: Using IPSec for Routing Protocols Sandhya Chawla
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral