[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Why can't ESP authenticate IP header?



At 2:49 PM -0700 9/21/01, Bora Akyol wrote:
>This is good work, but did not get a lot of traction in the IDR WG due to
>concern on taxing router CPUs that are already taxed.
>
>BTW, (afaik) the BBN work is aimed at authenticating individual advertised
>prefixes as opposed to communication between the hosts which relies on TCP
>MD5 authentication. The authentication of prefixes prevents a renegade BGP
>speaker from taking down a portion Internet. The current system in place is
>based mainly on trust.
>
>Bora

S-BGP uses other mechanisms, in the form of digital signatures 
carried as transitive optional path attributes, to verify the 
authorization of AS's to advertise prefixes.  The use of IPsec I 
referred to was precisely for point-to-point router authentication 
and integrity and is used in lieu of the TCP MD5 checksum hack, since 
that hack is not cryptographically strong and since it lacks an 
automated key management protocol.

Steve


Follow-Ups: References: