[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] Specification of BGP IPsec policy

To: "'Michael Richardson'" <mcr@sandelman.ottawa.on.ca>
Subject: RE: [Ipsec] Specification of BGP IPsec policy
From: "William Dixon" <ietf-wd@v6security.com>
Date: Fri, 23 Apr 2004 16:49:27 -0400
Cc: <ipsec@lists.tislabs.com>
In-reply-to: <13265.1082741496@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-admin@ietf.org

There are many ISPs with hundreds and perhaps thousands of BGP peering
partners. So I respectfully disagree that a recommendation is not needed.
I'm guessing this is the motivation behind Dave Wood's draft I mentioned
earlier. It is important to have recommended defaults that people can apply
operationally, and that vendors can support in their products (e.g. ISCSI
definition for using IPsec to secure their TCP connections).

> -----Original Message-----
> From: Michael Richardson [mailto:mcr@sandelman.ottawa.on.ca] 
> Sent: Friday, April 23, 2004 1:32 PM
> To: William Dixon
> Cc: ipsec@lists.tislabs.com
> Subject: Re: [Ipsec] Specification of BGP IPsec policy 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
>     William> The reason I ask is because the UK NISCC 
> guidance says "use
>     William> IPsec".
> 
>     William> http://www.uniras.gov.uk/vuls/2004/236929/index.htm
> 
>   William, to "use IPsec", you have to bilaterally agree to do so.
> As such, one can decide about the SPD along with the keying 
> material or method. If if is all within an enterprise, then 
> perhaps they can put it into a policy directory of some kind as well.
> 
>   One can also say bilaterally agree to "use IPsec 
> Opportunistic Encryption" (or just let people know your 
> router supports it on your IX list), in which case, all those 
> details are *ALSO* already specified.
> 
>     William> I'm surprised that with such initial coordination, a
>     William> specification of HOW to use IPsec wasn't offered in the
>     William> bulletin.
> 
>   Because it isn't necessary.
> 
> - --
> ]       ON HUMILITY: to err is human. To moo, bovine.         
>   |  firewalls  [
> ]   Michael Richardson,    Xelerance Corporation, Ottawa, ON  
>   |net architect[
> ] mcr@xelerance.com      
> http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, 
> security guy"); [ -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBQIlS94qHRg3pndX9AQG2CgQArFV0VOBbCe7jvXMzI52Ii87V4oqso1hk
> 6LVC1QDWnWxVzvTW12/KKBkFfZ2koav+WJUKbrETbJEy6c/bQTL/eBEdP+RzlByG
> ZZQNMR08hYFI50+TmO2tN5mpuXnosTflWEClHk33QWg76Y1HDBnVYgr/WGKTz4ac
> cZcZD5nT3Tk=
> =19pA
> -----END PGP SIGNATURE-----
> 
> 


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Specification of BGP IPsec policy
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: [Ipsec] Specification of BGP IPsec policy
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: [Ipsec] Re: Your software
Next by Date: Re: [Ipsec] Specification of BGP IPsec policy
Previous by thread: Re: [Ipsec] Specification of BGP IPsec policy
Next by thread: Re: [Ipsec] Specification of BGP IPsec policy
Index(es):
- Date
- Thread