> -----Original Message----- > From: Paul Wouters [mailto:[email protected]] > Sent: Wednesday, December 07, 2016 1:42 PM > To: Hu, Jun (Nokia - US) <[email protected]> > Cc: Tero Kivinen <[email protected]>; [email protected] > Subject: Re: [IPsec] RFC4301, rfc7321bis and Manual keys > > On Wed, 7 Dec 2016, Hu, Jun (Nokia - US) wrote: > > > OSPFv3 authentication (RFC4552) mandate to use manual key, the reason is > OSPFv3 uses multicast. > > So I could see manual key IPsec could be needed in any multicast > > applications since group key management is not widely available For above > reason, I think it should be "MAY" instead of "SHOULD NOT" > > Reading that RFC, it is really cracking on all sides. You even need to use the > same SPIs and ENC keys for inbound and outbound SA's. I really don't think > this > is a very well thought out use case for IPsec. > > Are people actually deploying this? > > How long are these static SPIs/keys used for? forever? > > I don't think we need to take those requirements into consideration. If > anything, > someone needs to update RFC4552 to allow for a more modern use of IKEv2 > and multicast (RFC5374) > [HJ] OSPFv3 has been implemented on almost all IPv6 capable enterprise/carrier level routers for long time, and as only standard auth method, RFC4552 was also implemented along with OSPFv3; So I think I could say RFC4552 has been already deployed widely for long time, We can't ignore this just because manual key is less secure; in fact using IKEv2 and RFC5374 is almost impractical for a IGP routing protocol, because when deployed, OSPFv3 is an part of network routing infrastructure; adding IKEv2 and RFC5374 not only add lots additional complexity to the routing plane (it gona be a non-starter already for many people), but also using RFC5374 require to use a central key server, it means the key server need to be reachable before OSPFv3 is up and running, which might not be feasible;
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
