Am Donnerstag 22 April 2010 19:43:40 schrieb Juliusz Chroboczek: > Shouldn't it be possible to run Babel over IPsec in just the same way as > OSPF? I don't see anything that would make Babel any different than > OSPF in that respect. > > But I agree with you -- invoking IPsec to solve all network-layer > security issues was fashionable in the late nineties and early > noughts[1], but it turns out to be next to impossible in practice (blame > the IPsec people[2]). We're now back to the previous style of including > security provisions in the protocol itself. IPsec cannot secure the routing protocol against insider attacks (who own at least one legitimate node).
> So what about Babel? Designing a hop-to-hop security extension should > be fairly easy, whether you want to do something trivial with symmetric > keys, or something more exciting similar to SeND (but using the > router-id, rather than the IPv6 address, to embed the public key). What > would really be intersting would be some form of end-to-end security, > similar to SBGP, but I'm not sure that can be done without bloating the > protocol. Hop-2-hop security could be done at the link-layer. Henning Rogge -- 1) You can't win. 2) You can't break even. 3) You can't leave the game. — The Laws of Thermodynamics, summarized
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Babel-users mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/babel-users
