Re: [RPSEC] Re: Using IPSec for Routing Protocols

[Acee Lindem <acee@cisco.com>]

Vishwas Manral wrote:

> Hi Acee,
>
> One reason we do not use IPsec is that we do not support multicast 
> well in
> IPsec. I think the way it is used in OSPFv3 is itself a hack. Also in the
> end of it we are still using manual keying as well as only 
> authentication so
> still the same as for the rpotocols.

Hi Vishwas,

Irrespective of the limitations, I belive what is defined will
provide for a base for further enhancement. If there were a burning 
requirement
for improvement, one could relegate OSPFv3 to only point-to-point and
point-to-multipoint networks types and use dynamic keying and reply
protection.

Thanks,
Acee

>
> Stephen Kent would probably have the details of it.
>
> Thanks,
> Vishwas
>
>
> On 5/4/06, Acee Lindem <acee@cisco.com> wrote:
>
>>
>> Sandhya,
>> See inline.
>> Sandhya Chawla wrote:
>>
>> >Hi Stephane,
>> >
>> >--- Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>> >
>> >
>> >
>> >>On Thu, May 04, 2006 at 05:15:21AM +0100,
>> >> Sandhya Chawla <sandhya.chawla@yahoo.co.in> wrote
>> >> a message of 50 lines which said:
>> >>
>> >>
>> >>
>> >>>Why are we working on providing security at each routing protocol
>> >>>(application layer)? Why cant we simply use IPSEC for this?
>> >>>
>> >>>
>> >>Wild guess from a non-expert: because IPsec only provides channel
>> >>security, not data security. For instance, if I have a BGP connection
>> >>
>> >>
>> >
>> >We could use ESP will null encryption (null cipher). Using NULL as we
>> really dont want to provide
>> >any confidentiality. We only want to authenticate the sender and 
>> want to
>> make sure that no one
>> >mangles the packet in between.
>> >
>> >
>> >
>> >>with a peer, I can use IPsec and therefore be sure that the peer is
>> >>really what it says it is. But what does it buy me when the peer
>> >>announces a route? How can I be sure that he is entitled to announce
>> >>this route?
>> >>
>> >>
>> >
>> >Yes, i understand the need for SO-BGP and S-BGP. What about the 
>> IGPs? We
>> would perhaps not want to
>> >go in for the complexity of issuing certificates, etc for IGPs. 
>> Would we?
>> >
>> >
>> I would hope not. Though there have been experiments in this area.
>>
>> >If not, then why cant we simply use IPSEC to protect and auth my IGP
>> data?
>> >
>> >
>> There have been some challenges in using IPSec but the draft should be
>> published soon.
>>
>> http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt
>>
>> Work is underway to provide the IPSec for OSPFv2 as well.
>>
>> Acee
>>
>> >I understand that IPSEC works best for, and is perhaps currently 
>> defined
>> only for unicast traffic.
>> >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)?
>> >
>> >Regards,
>> >Sandhya
>> >
>> >
>> >
>> >>(Analogy: showing me your passport can convince me that you are indeed
>> >>Sandhya Chawla. But it does not make any difference when you tell me
>> >>that Om Prakash Chautala is an honest man or not: I still have to
>> >>check the information.)
>> >>
>> >>For the same reason, IPsec does not make the DNS safer and we need
>> >>DNSsec.
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>> >__________________________________________________________
>> >Yahoo! India Answers: Share what you know. Learn something new.
>> >http://in.answers.yahoo.com
>> >
>> >_______________________________________________
>> >RPSEC mailing list
>> >RPSEC@ietf.org
>> >https://www1.ietf.org/mailman/listinfo/rpsec
>> >
>> >
>> >
>>
>> _______________________________________________
>> RPSEC mailing list
>> RPSEC@ietf.org
>> https://www1.ietf.org/mailman/listinfo/rpsec
>>
>

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec