Re: [Ipsec] Specification of BGP IPsec policy

[Thor Lancelot Simon <tls@rek.tjls.com>]

On Wed, Apr 21, 2004 at 08:02:35AM -0400, William Dixon wrote:
> Does anyone have a reference configuration that is proposed for securing BGP
> TCP connections with IPsec ? Eg. the selector definition, tunnel/transport,
> hash, key size, lifetimes, etc.
> 
> I see this draft proposes not using IPsec. So maybe nobody is doing it.
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

Given that even statically-keyed AH would be far more secure than the
botch that appears to be Cisco's preferred solution (TCP-MD5), this is
really unfortunate -- but it does appear to be the case.

I'm seeing a growing trend of security-clued employees of networking
company _X_ trying hard to DTRT over here in the relevant working
groups, while consultants and "sales engineers" and the like from _X_
go around on the other hand advising customers to DTWT over there in
the real world of deployed systems -- even where it would be no more
onerous to DTRT, as with statically-keyed AH vs. statically-keyed
TCP-MD5, and would reduce the need to maintain fundamentally duplicitave
functionality in complicated products.

How about it, folks?  How about everyone tries, just once or twice
a week, to hit other employees of one's employer -- you know, in particular
those ones out there in the field telling customers to use the same
preshared key with multiple IKE peers and the like -- with the clue stick?
We could do a lot of good, and a lot of trouble and embarrassment could
be avoided later besides.  :-)

Thor

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec