[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Specification of BGP IPsec policy



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "VPNC" == VPNC  <Paul> writes:
    >> Okay, let's start at the top.
    >> 
    >> which authentication mechanism scales to thousands of BGP peering
    >> partners? and if you say X.509, then please let us know which CA
    >> to buy.

    VPNC> One doesn't need to "buy" CAs; for example, there is SimpleCA
    VPNC> from the VPN Consortium which is freeware (see
    VPNC> <http://www.vpnc.org/SimpleCA/>). Other freeware CAs exist as
    VPNC> well.

  Paul, you missed the point. It isn't the software.

  Which *certificate* authority should all BGP speaking organizations
sign up for?  In a well top-down ordered Internet everyone would peer
at IXs, and it would be clear that the IX could be the CA. Life isn't
so simple.

    VPNC> The problem is not in issuing the certs, it is in getting the
    VPNC> authorization policies into the IPsec systems. Some IPsec
    VPNC> implementations have a "accept anyone who has a cert issued by
    VPNC> this particular CA into this this policy" setting, but many

  right, so assume that that this policy exists everywhere.
  (If Cisco and Juniper had such a policy, then that would be 99% of BGP
speakers. A Linux router running Openswan can deal with such a policy
too)

  It still doesn't answer the question of which root certificate will
work.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQI6uhIqHRg3pndX9AQEe4AQAukF4nTeDmQ50esyJz7nlcXFhTJ0saY4S
NBB0pf2wKUPxN3FdVK9NQHlsB+WKSYQPx/qWC9wOU0fU/SVvL8zbrFkkKzjt5n1H
E9ljKu/ZOKgv4GG8AiWijI129K+PH15VHNkl7qYQ2Sa4fbcCMsfiTFZicAzcNGwG
wbFLQS/Jsiw=
=AI0S
-----END PGP SIGNATURE-----

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec