Re: [Ipsec] Specification of BGP IPsec policy

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 12:02 PM -0400 4/25/04, Michael Richardson wrote:
>  >>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
>     William> There are many ISPs with hundreds and perhaps thousands of
>     William> BGP peering partners. So I respectfully disagree that a
>     William> recommendation is not needed.  I'm guessing this is the
>
>   Okay, let's start at the top.
>
>   which authentication mechanism scales to thousands of BGP peering
>partners? and if you say X.509, then please let us know which CA to buy.

One doesn't need to "buy" CAs; for example, there is SimpleCA from 
the VPN Consortium which is freeware (see 
<http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as well.

The problem is not in issuing the certs, it is in getting the 
authorization policies into the IPsec systems. Some IPsec 
implementations have a "accept anyone who has a cert issued by this 
particular CA into this this policy" setting, but many don't. In the 
latter case, you need to create a policy for each partner based on 
the exact contents of some field in the cert, which makes using certs 
much more of a hassle.

These topics are being discussed (not terribly actively) in the PKI4IPSEC WG.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec