[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Specification of BGP IPsec policy
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "William" == William Dixon <ietf-wd@v6security.com> writes:
William> I don't argue that the deployability of an authentication
William> scheme is difficult. However, the recommended BGP over
William> TCP-MD5 auth uses a "password" between peers - no worse of
William> an authentication deployment issue than IKE with pre-shared
William> key.
That's right. Also, no better.
(Note that we must recommend against using manually keyed IPsec
connections due to lack of replay protection, and the length that the
keys would be used)
So, PSK must be communicated bilaterally, so once they are on the
phone, they can come to any agreement they like about other parameters.
William> one of several recommended practices, me figuring someone
William> on the IPsec list was involved in this latest BGP security
William> alert/response.
I am.
As an IPsec person.
As a person who runs a small co-lo which does multihop BGP.
I also saw the CanSecWest presentation, and the Cisco "response".
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQIxBn4qHRg3pndX9AQH+4wQArmOW/Rx4bXPY/1HJGbTM9JVyogHr1z/2
0ETPLUAvJWLag75JcyPrLIhuuxyxZn7v372a7Ge+ttqFKw3xdkRIs3t6+liAapxY
BKlgZXBlPJTYrJLYGKIrxleUuDcjkyNbPmQaXg+1FgKdns5HtcI0Mt+O52YdvPDb
2MZHE1cqLdI=
=vnqA
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec