On 05/12/2015 02:51, John Scudder wrote: > I do not understand your point. Wasn't actually intended as a wiggle, > but as an option that you can actually do with existing shipping code. > Maybe we can discuss Monday.
in a lot of years, I've never once seen or heard of anyone using ipsec to secure router-to-host or router-to-router management plane communications. Maybe it happens, who knows. No doubt the option works in most if not all mainline router management plane stacks, and no doubt there are people who implement this. I've never come across these people, that's all. The point that Randy seems to be making is that this is tickbox security from a practical point of view. It satisfies the ietf's requirement's for mandating encryption everywhere. It will certainly work. It will probably interoperate well and it will be every bit as secure as ipsec is. But it will only rarely if ever be used in production because ipsec is painful to deploy and has problematic failure modes. The security considerations section in this ID explicitly states that there are security risks associated with leaking bgp information. If the ietf believes this, then there should be a recommendation to secure the protocol with some form of encryption mechanism (not just authentication), and an encryption mechanism which is likely to be deployed in production. If the ietf doesn't believe this, then the section should be removed. tls will satisfy usability, presence in shipping code and likelihood of deployment. It comes at the cost of either using a different port number or else adding startls into the protocol. It's understandable why there would be opposition to implementing this at revision -16 and with code widely deployed in the field. But from the point of view of the question "where do we want to be a couple of years down the road from now?", it's a pile better than ipsec from an operations point of view. Nick _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
