[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Specification of BGP IPsec policy

To: "William Dixon" <ietf-wd@v6security.com>
Subject: Re: [Ipsec] Specification of BGP IPsec policy
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Sun, 25 Apr 2004 18:54:25 -0400
Cc: ipsec@lists.tislabs.com
In-reply-to: Message from "William Dixon" <ietf-wd@v6security.com> of "Sun, 25 Apr 2004 13:10:26 EDT." <200404251712.i3PHC28c013055@rs9.luxsci.com>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <200404251712.i3PHC28c013055@rs9.luxsci.com>
Sender: ipsec-admin@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
    William> I don't argue that the deployability of an authentication
    William> scheme is difficult. However, the recommended BGP over
    William> TCP-MD5 auth uses a "password" between peers - no worse of
    William> an authentication deployment issue than IKE with pre-shared
    William> key.

  That's right. Also, no better. 
  (Note that we must recommend against using manually keyed IPsec
connections due to lack of replay protection, and the length that the
keys would be used) 

  So, PSK must be communicated bilaterally, so once they are on the
phone, they can come to any agreement they like about other parameters. 
  
    William> one of several recommended practices, me figuring someone
    William> on the IPsec list was involved in this latest BGP security
    William> alert/response.

  I am.
  As an IPsec person.
  As a person who runs a small co-lo which does multihop BGP. 
  I also saw the CanSecWest presentation, and the Cisco "response".

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQIxBn4qHRg3pndX9AQH+4wQArmOW/Rx4bXPY/1HJGbTM9JVyogHr1z/2
0ETPLUAvJWLag75JcyPrLIhuuxyxZn7v372a7Ge+ttqFKw3xdkRIs3t6+liAapxY
BKlgZXBlPJTYrJLYGKIrxleUuDcjkyNbPmQaXg+1FgKdns5HtcI0Mt+O52YdvPDb
2MZHE1cqLdI=
=vnqA
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- RE: [Ipsec] Specification of BGP IPsec policy
  - From: "William Dixon" <ietf-wd@v6security.com>

Prev by Date: RE: [Ipsec] Specification of BGP IPsec policy
Next by Date: [Ipsec] Correction re: IPsec AH and ESP -- changes
Previous by thread: RE: [Ipsec] Specification of BGP IPsec policy
Next by thread: Re: [Ipsec] Specification of BGP IPsec policy
Index(es):
- Date
- Thread