Re: [RPSEC] Re: Using IPSec for Routing Protocols
Acee Lindem <acee@cisco.com> Thu, 04 May 2006 19:12 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbjFw-00041b-7i; Thu, 04 May 2006 15:12:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FbjFu-0003tg-An for rpsec@ietf.org; Thu, 04 May 2006 15:12:55 -0400
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FbjFt-0001Ve-VQ for rpsec@ietf.org; Thu, 04 May 2006 15:12:54 -0400
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-4.cisco.com with ESMTP; 04 May 2006 12:12:53 -0700
X-IronPort-AV: i="4.05,89,1146466800"; d="scan'208"; a="1801440258:sNHT29522788"
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id k44JCqVI026241; Thu, 4 May 2006 12:12:53 -0700 (PDT)
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 May 2006 15:12:52 -0400
Received: from [10.82.209.92] ([10.82.209.92]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 4 May 2006 15:12:52 -0400
Message-ID: <445A5233.7090305@cisco.com>
Date: Thu, 04 May 2006 15:12:51 -0400
From: Acee Lindem <acee@cisco.com>
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
Subject: Re: [RPSEC] Re: Using IPSec for Routing Protocols
References: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com> <4459E002.2050103@cisco.com> <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com>
In-Reply-To: <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 04 May 2006 19:12:52.0244 (UTC) FILETIME=[BD974D40:01C66FAE]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93e7fb8fef2e780414389440f367c879
Cc: rpsec@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Errors-To: rpsec-bounces@ietf.org
Vishwas Manral wrote: > Hi Acee, > > One reason we do not use IPsec is that we do not support multicast > well in > IPsec. I think the way it is used in OSPFv3 is itself a hack. Also in the > end of it we are still using manual keying as well as only > authentication so > still the same as for the rpotocols. Hi Vishwas, Irrespective of the limitations, I belive what is defined will provide for a base for further enhancement. If there were a burning requirement for improvement, one could relegate OSPFv3 to only point-to-point and point-to-multipoint networks types and use dynamic keying and reply protection. Thanks, Acee > > Stephen Kent would probably have the details of it. > > Thanks, > Vishwas > > > On 5/4/06, Acee Lindem <acee@cisco.com> wrote: > >> >> Sandhya, >> See inline. >> Sandhya Chawla wrote: >> >> >Hi Stephane, >> > >> >--- Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: >> > >> > >> > >> >>On Thu, May 04, 2006 at 05:15:21AM +0100, >> >> Sandhya Chawla <sandhya.chawla@yahoo.co.in> wrote >> >> a message of 50 lines which said: >> >> >> >> >> >> >> >>>Why are we working on providing security at each routing protocol >> >>>(application layer)? Why cant we simply use IPSEC for this? >> >>> >> >>> >> >>Wild guess from a non-expert: because IPsec only provides channel >> >>security, not data security. For instance, if I have a BGP connection >> >> >> >> >> > >> >We could use ESP will null encryption (null cipher). Using NULL as we >> really dont want to provide >> >any confidentiality. We only want to authenticate the sender and >> want to >> make sure that no one >> >mangles the packet in between. >> > >> > >> > >> >>with a peer, I can use IPsec and therefore be sure that the peer is >> >>really what it says it is. But what does it buy me when the peer >> >>announces a route? How can I be sure that he is entitled to announce >> >>this route? >> >> >> >> >> > >> >Yes, i understand the need for SO-BGP and S-BGP. What about the >> IGPs? We >> would perhaps not want to >> >go in for the complexity of issuing certificates, etc for IGPs. >> Would we? >> > >> > >> I would hope not. Though there have been experiments in this area. >> >> >If not, then why cant we simply use IPSEC to protect and auth my IGP >> data? >> > >> > >> There have been some challenges in using IPSec but the draft should be >> published soon. >> >> http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt >> >> Work is underway to provide the IPSec for OSPFv2 as well. >> >> Acee >> >> >I understand that IPSEC works best for, and is perhaps currently >> defined >> only for unicast traffic. >> >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)? >> > >> >Regards, >> >Sandhya >> > >> > >> > >> >>(Analogy: showing me your passport can convince me that you are indeed >> >>Sandhya Chawla. But it does not make any difference when you tell me >> >>that Om Prakash Chautala is an honest man or not: I still have to >> >>check the information.) >> >> >> >>For the same reason, IPsec does not make the DNS safer and we need >> >>DNSsec. >> >> >> >> >> >> >> > >> > >> > >> > >> >__________________________________________________________ >> >Yahoo! India Answers: Share what you know. Learn something new. >> >http://in.answers.yahoo.com >> > >> >_______________________________________________ >> >RPSEC mailing list >> >RPSEC@ietf.org >> >https://www1.ietf.org/mailman/listinfo/rpsec >> > >> > >> > >> >> _______________________________________________ >> RPSEC mailing list >> RPSEC@ietf.org >> https://www1.ietf.org/mailman/listinfo/rpsec >> > _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Using IPSec for Routing Protocols Sandhya Chawla
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- [RPSEC] Re: Using IPSec for Routing Protocols Sandhya Chawla
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral