Re: [RPSEC] Re: Using IPSec for Routing Protocols

At 05:25 AM 5/4/2006, Vishwas Manral wrote:
>Hi Acee,
>
>One reason we do not use IPsec is that we do not support multicast 
>well in IPsec.

This is news to me and probably to many folks in MSEC.  Please take a 
look at the work underway in that group.

regards,
Lakshminath

>  I think the way it is used in OSPFv3 is itself a hack. Also in the 
> end of it we are still using manual keying as well as only 
> authentication so still the same as for the rpotocols.
>
>Stephen Kent would probably have the details of it.
>
>Thanks,
>Vishwas
>
>
>On 5/4/06, Acee Lindem <<mailto:acee@cisco.com>acee@cisco.com> wrote:
>Sandhya,
>See inline.
>Sandhya Chawla wrote:
>
> >Hi Stephane,
> >
> >--- Stephane Bortzmeyer < 
> <mailto:bortzmeyer@nic.fr>bortzmeyer@nic.fr> wrote:
> >
> >
> >
> >>On Thu, May 04, 2006 at 05:15:21AM +0100,
> >> Sandhya Chawla 
> <<mailto:sandhya.chawla@yahoo.co.in>sandhya.chawla@yahoo.co.in > wrote
> >> a message of 50 lines which said:
> >>
> >>
> >>
> >>>Why are we working on providing security at each routing protocol
> >>>(application layer)? Why cant we simply use IPSEC for this?
> >>>
> >>>
> >>Wild guess from a non-expert: because IPsec only provides channel
> >>security, not data security. For instance, if I have a BGP connection
> >>
> >>
> >
> >We could use ESP will null encryption (null cipher). Using NULL as 
> we really dont want to provide
> >any confidentiality. We only want to authenticate the sender and 
> want to make sure that no one
> >mangles the packet in between.
> >
> >
> >
> >>with a peer, I can use IPsec and therefore be sure that the peer is
> >>really what it says it is. But what does it buy me when the peer
> >>announces a route? How can I be sure that he is entitled to announce
> >>this route?
> >>
> >>
> >
> >Yes, i understand the need for SO-BGP and S-BGP. What about the 
> IGPs? We would perhaps not want to
> >go in for the complexity of issuing certificates, etc for IGPs. Would we?
> >
> >
>I would hope not. Though there have been experiments in this area.
>
> >If not, then why cant we simply use IPSEC to protect and auth my IGP data?
> >
> >
>There have been some challenges in using IPSec but the draft should be
>published soon.
>
><http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt>http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt
>
>Work is underway to provide the IPSec for OSPFv2 as well.
>
>Acee
>
> >I understand that IPSEC works best for, and is perhaps currently 
> defined only for unicast traffic.
> >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)?
> >
> >Regards,
> >Sandhya
> >
> >
> >
> >>(Analogy: showing me your passport can convince me that you are indeed
> >>Sandhya Chawla. But it does not make any difference when you tell me
> >>that Om Prakash Chautala is an honest man or not: I still have to
> >>check the information.)
> >>
> >>For the same reason, IPsec does not make the DNS safer and we need
> >>DNSsec.
> >>
> >>
> >>
> >
> >
> >
> >
> >__________________________________________________________
> >Yahoo! India Answers: Share what you know. Learn something new.
> ><http://in.answers.yahoo.com>http://in.answers.yahoo.com
> >
> >_______________________________________________
> >RPSEC mailing list
> ><mailto:RPSEC@ietf.org>RPSEC@ietf.org
> >https://www1.ietf.org/mailman/listinfo/rpsec
> >
> >
> >
>
>_______________________________________________
>RPSEC mailing list
><mailto:RPSEC@ietf.org>RPSEC@ietf.org
>https://www1.ietf.org/mailman/listinfo/rpsec
>
>
>_______________________________________________
>RPSEC mailing list
>RPSEC@ietf.org
>https://www1.ietf.org/mailman/listinfo/rpsec

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec