[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] Specification of BGP IPsec policy
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "VPNC" == VPNC <Paul> writes:
>> Okay, let's start at the top.
>>
>> which authentication mechanism scales to thousands of BGP peering
>> partners? and if you say X.509, then please let us know which CA
>> to buy.
VPNC> One doesn't need to "buy" CAs; for example, there is SimpleCA
VPNC> from the VPN Consortium which is freeware (see
VPNC> <http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as
VPNC> well.
Paul, you missed the point. It isn't the software.
Which *certificate* authority should all BGP speaking organizations
sign up for? In a well top-down ordered Internet everyone would peer
at IXs, and it would be clear that the IX could be the CA. Life isn't
so simple.
VPNC> The problem is not in issuing the certs, it is in getting the
VPNC> authorization policies into the IPsec systems. Some IPsec
VPNC> implementations have a "accept anyone who has a cert issued by
VPNC> this particular CA into this this policy" setting, but many
right, so assume that that this policy exists everywhere.
(If Cisco and Juniper had such a policy, then that would be 99% of BGP
speakers. A Linux router running Openswan can deal with such a policy
too)
It still doesn't answer the question of which root certificate will
work.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQI6uhIqHRg3pndX9AQEe4AQAukF4nTeDmQ50esyJz7nlcXFhTJ0saY4S
NBB0pf2wKUPxN3FdVK9NQHlsB+WKSYQPx/qWC9wOU0fU/SVvL8zbrFkkKzjt5n1H
E9ljKu/ZOKgv4GG8AiWijI129K+PH15VHNkl7qYQ2Sa4fbcCMsfiTFZicAzcNGwG
wbFLQS/Jsiw=
=AI0S
-----END PGP SIGNATURE-----
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec