TL;DR> Important work needing New WG in Routing Area. Hi, I thought I had read previous versions of RISAV... maybe under a different draft name. I find this version much better than I saw before.
I have some specific technical comments about how to make this work simpler, but that's not a topic for SECDISPATCH. This document proposes to amend AH to distinguish it from other uses of AH, and I think that this is a very good idea. AH has essentially no deployment at this point, and so this is rather a good plan. The concerns that I have about this document is that the IPsec/AH parts of it are rather simple. The IPv6 header insertion and MTU parts of this document are, I think very controversial given the SR6 experience: SR6 was said to be always within an AS, and that any leaks would be a bug. But, the ENTIRE point of RISAV is to communicate between ASs. I also think that there is a lot of BGP-like TE that is missing from this proposal. Although I run a BGP AS with multiple uplinks, I don't know all the latest stuff about MED and how to deal with situations where two ISPs connect in multiple places. The other concern that I have with RISAV is that it seems unreasonable that an AS have only a single ACS. Maybe this can be accomplished via an anycast situation, which to me implies some kind of MOBIKE-like situation where the anycast IKEv2 respond answers with it's topologically useful IP. I can imagine a situation where the ACS together, pick an appropriate pair of ASBRs to form a tunnel between them. Should a global ISP should be hairpinning traffic across the Pacific when it secures traffic between two AsiaPacific entities? While this could be dispatched to IPSECME, I don't think that is the right choice. I think that we might need a new WG in the routing area with a SecAD owning it. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec