Re: [RPSEC] Re: Using IPSec for Routing Protocols
"Vishwas Manral" <vishwas.ietf@gmail.com> Fri, 05 May 2006 12:02 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fbz1M-0002sU-6E; Fri, 05 May 2006 08:02:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fbz1L-0002sP-OT for rpsec@ietf.org; Fri, 05 May 2006 08:02:55 -0400
Received: from wx-out-0102.google.com ([66.249.82.199]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fbz1L-0000i5-9k for rpsec@ietf.org; Fri, 05 May 2006 08:02:55 -0400
Received: by wx-out-0102.google.com with SMTP id s12so543810wxc for <rpsec@ietf.org>; Fri, 05 May 2006 05:02:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=mUy3AEkytApYt2Wt2vJaJzJKJzEPw9q8v2SxWh4Nl19yl2JlBLDJfR2u2tQEVj7EhTiF9IH/zZ5meU4KKpqJcQBdeQ1zaltnjjCLpuJO2N8pSOqc1SlDb36KtKHR16sFQHq8OzIF3UBfAVSz2HKfJcUxeazec0lDwhtdvVAvJvE=
Received: by 10.70.42.17 with SMTP id p17mr964894wxp; Fri, 05 May 2006 05:02:54 -0700 (PDT)
Received: by 10.70.8.12 with HTTP; Fri, 5 May 2006 05:02:53 -0700 (PDT)
Message-ID: <77ead0ec0605050502t47f80d7n3bc0afe430512ff2@mail.gmail.com>
Date: Fri, 05 May 2006 05:02:53 -0700
From: Vishwas Manral <vishwas.ietf@gmail.com>
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [RPSEC] Re: Using IPSec for Routing Protocols
In-Reply-To: <6.2.5.6.2.20060504114102.057e9f98@qualcomm.com>
MIME-Version: 1.0
References: <20060504082605.60358.qmail@web8513.mail.in.yahoo.com> <4459E002.2050103@cisco.com> <77ead0ec0605040525jd8cead1o346b8e6f1b7b15a0@mail.gmail.com> <6.2.5.6.2.20060504114102.057e9f98@qualcomm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e5bfa71b340354e384155def5e70b13b
Cc: rpsec@ietf.org, msec@securemulticast.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/rpsec>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0623551642=="
Errors-To: rpsec-bounces@ietf.org
Hi Lakshminath, I was trying to refer to the conversation on the SAAG list of which you were a part. Thanks, Vishwas On 5/4/06, Lakshminath Dondeti <ldondeti@qualcomm.com> wrote: > > At 05:25 AM 5/4/2006, Vishwas Manral wrote: > >Hi Acee, > > > >One reason we do not use IPsec is that we do not support multicast > >well in IPsec. > > This is news to me and probably to many folks in MSEC. Please take a > look at the work underway in that group. > > regards, > Lakshminath > > > I think the way it is used in OSPFv3 is itself a hack. Also in the > > end of it we are still using manual keying as well as only > > authentication so still the same as for the rpotocols. > > > >Stephen Kent would probably have the details of it. > > > >Thanks, > >Vishwas > > > > > >On 5/4/06, Acee Lindem <<mailto:acee@cisco.com>acee@cisco.com> wrote: > >Sandhya, > >See inline. > >Sandhya Chawla wrote: > > > > >Hi Stephane, > > > > > >--- Stephane Bortzmeyer < > > <mailto:bortzmeyer@nic.fr>bortzmeyer@nic.fr> wrote: > > > > > > > > > > > >>On Thu, May 04, 2006 at 05:15:21AM +0100, > > >> Sandhya Chawla > > <<mailto:sandhya.chawla@yahoo.co.in>sandhya.chawla@yahoo.co.in > wrote > > >> a message of 50 lines which said: > > >> > > >> > > >> > > >>>Why are we working on providing security at each routing protocol > > >>>(application layer)? Why cant we simply use IPSEC for this? > > >>> > > >>> > > >>Wild guess from a non-expert: because IPsec only provides channel > > >>security, not data security. For instance, if I have a BGP connection > > >> > > >> > > > > > >We could use ESP will null encryption (null cipher). Using NULL as > > we really dont want to provide > > >any confidentiality. We only want to authenticate the sender and > > want to make sure that no one > > >mangles the packet in between. > > > > > > > > > > > >>with a peer, I can use IPsec and therefore be sure that the peer is > > >>really what it says it is. But what does it buy me when the peer > > >>announces a route? How can I be sure that he is entitled to announce > > >>this route? > > >> > > >> > > > > > >Yes, i understand the need for SO-BGP and S-BGP. What about the > > IGPs? We would perhaps not want to > > >go in for the complexity of issuing certificates, etc for IGPs. Would > we? > > > > > > > >I would hope not. Though there have been experiments in this area. > > > > >If not, then why cant we simply use IPSEC to protect and auth my IGP > data? > > > > > > > >There have been some challenges in using IPSec but the draft should be > >published soon. > > > ><http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt> > http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt > > > >Work is underway to provide the IPSec for OSPFv2 as well. > > > >Acee > > > > >I understand that IPSEC works best for, and is perhaps currently > > defined only for unicast traffic. > > >Is this the reason because of which we cant use IPSEC for IGPs (OSPF)? > > > > > >Regards, > > >Sandhya > > > > > > > > > > > >>(Analogy: showing me your passport can convince me that you are indeed > > >>Sandhya Chawla. But it does not make any difference when you tell me > > >>that Om Prakash Chautala is an honest man or not: I still have to > > >>check the information.) > > >> > > >>For the same reason, IPsec does not make the DNS safer and we need > > >>DNSsec. > > >> > > >> > > >> > > > > > > > > > > > > > > >__________________________________________________________ > > >Yahoo! India Answers: Share what you know. Learn something new. > > ><http://in.answers.yahoo.com>http://in.answers.yahoo.com > > > > > >_______________________________________________ > > >RPSEC mailing list > > ><mailto:RPSEC@ietf.org>RPSEC@ietf.org > > >https://www1.ietf.org/mailman/listinfo/rpsec > > > > > > > > > > > > >_______________________________________________ > >RPSEC mailing list > ><mailto:RPSEC@ietf.org>RPSEC@ietf.org > >https://www1.ietf.org/mailman/listinfo/rpsec > > > > > >_______________________________________________ > >RPSEC mailing list > >RPSEC@ietf.org > >https://www1.ietf.org/mailman/listinfo/rpsec > >
_______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] Using IPSec for Routing Protocols Sandhya Chawla
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- [RPSEC] Re: Using IPSec for Routing Protocols Sandhya Chawla
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Lakshminath Dondeti
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Acee Lindem
- [RPSEC] Re: Using IPSec for Routing Protocols Stephane Bortzmeyer
- Re: [RPSEC] Re: Using IPSec for Routing Protocols Vishwas Manral