Re: [sidr] WGLC draft-sidr-rpki-rtr - take 2?

[Stephen Kent <kent@bbn.com>]

At 9:30 PM -0700 4/6/11, Brian Weis wrote:
>On Apr 6, 2011, at 5:46 PM, Randy Bush wrote:
>
>>>  Getting a new application (such as the rtr protocol) specifying
>>>  hmac-md5 mandatory to implement through a Secdir review and then the
>>>  Security ADs just won't happen. The only exception I can think of is
>>>  if there were no possible alternatives, and that's obviously not the
>>>  case here.
>>
>>  with AO not implemented on any servers, routers not having ssh
>>  libraries, and this being a server to router protocol, what are the
>>  alternatives?
>>
>>  randy
>
>I'm surprised IPsec hasn't been mentioned in this thread ... was it 
>previously discussed and rejected? Correct me if I'm wrong, but I 
>believe it's common for BGP routers to support IPsec and servers 
>definitely support IPsec. On the router side, one or two IPsec 
>sessions to servers should not be a burden. I'm less sure of the 
>server IPsec scaling properties, but I would expect a LINUX or BSD 
>kernel to have the scaling issues as were discussed earlier in this 
>thread regarding SSH but I'm no expert here.
>
>Brian

A few years ago we were told by vendors that many router 
implementations of IPsec were available only to traffic passing 
through a router, not to the
control plane terminating in a router.  Unless that has changed, IPsec is
not a good candidate here.

Steve