Hi Acee,
Before we make this a working group document I'd like to hear what
real problem in OSPFv2 this proposal is addressing.
With draft-ietf-ospf-hmac-sha we are upgrading the authentication
algorithms used by OSPFv2 to the same ones commonly used with
IPSec. While the optional use of AH does authenticate additional
bits of the IP header, I'm not sure I see a significant benefit in
that. On the other hand, we lose the replay protection we
currently have in OSPFv2.
The only new capability I see is the option of encrypting the
protocol traffic while, presumably, leaving everything else in the
clear. In my opinion if you really care about confidentiality
you'll run everything, including OSPF, through an IPSec tunnel.
I'd rather see the WG spend it's time improving RFC 4552 by
allowing for automated rekeying (at least on P2P links) rather
than simply copying the existing OSPFv3 spec to OSPFv2.
Regards,
Paul
Acee Lindem wrote:
For some time we've discussed adding IPsec support for OSPFv2 analogous
to what we have for OSPFv3. The draft subject draft describes how we'd
build on the OSPFv3 support to support OSPFv2:
http://www.ietf.org/id/draft-gupta-ospf-ospfv2-sec-01.txt
What are the current thoughts as far as adding this as a WG document?
Thanks,
Acee
P.S. The formatting issues will be fixed in the next
revision._______________________________________________
OSPF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ospf
_______________________________________________
OSPF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ospf
