On Mar 31, 2015, at 4:55 PM, Steven Barth <[email protected]> wrote: > >> I like to think that the IETF standards process has considerable value, and >> that the specifications that we produce as standards-track RFCs are >> higher-quality, not just in document quality but in the technical quality of >> the protocols, than the documents that enter the process. > What do you think about ISO standards (or RFCs imported from them)?
I don't have personal experience with the ISO standards process, but I would guess it is valuable in some ways. In the case of IS-IS, it has been through both the ISO and IETF standardization processes. It is also an mature protocol that has been widely deployed… I have an even higher level of confidence that protocols are improved by the experience of being widely deployed. >> 1) A mandatory-to-implement security mechanism. The current draft says that >> security can be accomplished by using a lower-layer security solution, like >> IPsec. It doesn't specify one, and (perhaps more importantly) doesn't >> specify how the Babel session would be bound to a lower-layer security >> mechanism. A lower layer mechanism can't really be used to secure a >> higher-layer protocol, unless the identifiers used in the higher-layer >> protocol are properly bound to the identifiers used in the lower-layer >> security mechanism. > There is RFC7298 for Babel which is mentioned in the comparison draft. If we made RFC 7298 mandatory to implement as part of Babel, that might be a start. I have not done a full security analysis of Babel, so I don't know if it would be sufficient. > On a more general matter, IIRC both our candidates (and I think most IETF > routing protocols) have equally non-existent asymmetric authentication and > that is not even talking about encryption. If you want to have encrypted > routing protocol traffic, you are going to have a bad time last time I looked. I don't know if a mechanism to encrypt routing protocol traffic is needed to make Babel (or IS-IS) reasonably secure. There are only limited use cases where it is desirable to hide the existence of routers or the topology of the local network from nodes on the local network, and encrypting the routing protocols wouldn't be sufficient to accomplish all of that. Margaret _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
