[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Ipsec] Specification of BGP IPsec policy

To: "'Michael Richardson'" <mcr@sandelman.ottawa.on.ca>
Subject: RE: [Ipsec] Specification of BGP IPsec policy
From: "William Dixon" <ietf-wd@v6security.com>
Date: Sun, 25 Apr 2004 13:10:26 -0400
Cc: <ipsec@lists.tislabs.com>
In-reply-to: <30647.1082908942@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Sender: ipsec-admin@ietf.org

I don't argue that the deployability of an authentication scheme is
difficult. However, the recommended BGP over TCP-MD5 auth uses a "password"
between peers - no worse of an authentication deployment issue than IKE with
pre-shared key.

This post was originally just to find the config guidance from those who
were using IPsec to secure BGP, as it was one of several recommended
practices, me figuring someone on the IPsec list was involved in this latest
BGP security alert/response. 

In any case, the lack of any specific guidance and finding Dave Ward's draft
is what I was looking for. Apparently Dave is reviewing the BGP community's
interest in using IPsec vs. other mechanisms and no further help is needed
right now. Though I'm sure he'll appreciate comments on his draft.

Thanks,
Wm

> -----Original Message-----
> From: ipsec-admin@ietf.org [mailto:ipsec-admin@ietf.org] On 
> Behalf Of Michael Richardson
> Sent: Sunday, April 25, 2004 12:02 PM
> To: William Dixon
> Cc: ipsec@lists.tislabs.com
> Subject: Re: [Ipsec] Specification of BGP IPsec policy 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
>     William> There are many ISPs with hundreds and perhaps 
> thousands of
>     William> BGP peering partners. So I respectfully disagree that a
>     William> recommendation is not needed.  I'm guessing this is the
> 
>   Okay, let's start at the top.
> 
>   which authentication mechanism scales to thousands of BGP 
> peering partners? and if you say X.509, then please let us 
> know which CA to buy.
> 
> - --
> ]       ON HUMILITY: to err is human. To moo, bovine.         
>   |  firewalls  [
> ]   Michael Richardson,    Xelerance Corporation, Ottawa, ON  
>   |net architect[
> ] mcr@xelerance.com      
> http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, 
> security guy"); [ -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBQIvhDIqHRg3pndX9AQGnUQQAmXkD67JTLRWMSm4dU4iCIoC/YzhUU6eL
> YTKwLU5ALjbZkUpn+GdGme4nSIXdBF1qfJXqECsovkt1HNvvkmXkESnj/5eTWL+m
> bkPIqwX/Emzxz0Gf7Sh3/npCnLrtK7wntYtPs55gqdenXoTVhBi6JLtyDlZAWPbU
> VUgHJD6Ag7s=
> =lJze
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
> 
> 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Specification of BGP IPsec policy
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: [Ipsec] Specification of BGP IPsec policy
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: [Ipsec] Specification of BGP IPsec policy
Next by Date: Re: [Ipsec] Specification of BGP IPsec policy
Previous by thread: Re: [Ipsec] Specification of BGP IPsec policy
Next by thread: Re: [Ipsec] Specification of BGP IPsec policy
Index(es):
- Date
- Thread