[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Specification of BGP IPsec policy
At 12:02 PM -0400 4/25/04, Michael Richardson wrote:
> >>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
> William> There are many ISPs with hundreds and perhaps thousands of
> William> BGP peering partners. So I respectfully disagree that a
> William> recommendation is not needed. I'm guessing this is the
>
> Okay, let's start at the top.
>
> which authentication mechanism scales to thousands of BGP peering
>partners? and if you say X.509, then please let us know which CA to buy.
One doesn't need to "buy" CAs; for example, there is SimpleCA from
the VPN Consortium which is freeware (see
<http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as well.
The problem is not in issuing the certs, it is in getting the
authorization policies into the IPsec systems. Some IPsec
implementations have a "accept anyone who has a cert issued by this
particular CA into this this policy" setting, but many don't. In the
latter case, you need to create a policy for each partner based on
the exact contents of some field in the cert, which makes using certs
much more of a hassle.
These topics are being discussed (not terribly actively) in the PKI4IPSEC WG.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec