> On Sep 11, 2018, at 2:07 PM, BRUNGARD, DEBORAH A <[email protected]> wrote: > > I’m wondering on another approach. If I recall correctly (my memory may have > faded), we had optimism that lisp-sec would be done by now, and so had waited > on it. But it is not. Looking at the reference to it in lisp-intro, it is in > the security section as “and the lightweight authentication mechanism > proposed by LISP-Sec [I-D.ietf-lisp-sec] reduces”. I wasn’t involved at the > time, but I’m wondering why a “proposed mechanism” merited a normative > reference in an informational document? >
It’s my recollection that there was feedback from the security directorate (as well as many individuals beyond that area) that the existing, specified, mechanism of map-request(nonce)/map-reply security (essentially the use of a nonce analogous to DNS) was not sufficiently secure to be deployed on an Internet control plane protocol. LISP-SEC was a lightweight response to the requirement of providing authentication of the sender / replier conversation that did not require a PKI based solution. LISP, to date, has been deployed for many use cases beyond internet route-scaling, some of which take advantage of LISP-SEC, and some of which have no need for its benefit. Regards, -Darrel _______________________________________________ lisp mailing list [email protected] https://www.ietf.org/mailman/listinfo/lisp
