During the IETF 102 RTGwg discussion of draft-dm-net2cloud-gap-analysis on using BGP to carry IPsec configuration (such as Public key, etc) and Peer authentication information, there are people stating it is troublesome of using BGP to carry IPsec configuration & authentication request because it is difficult for a BGP node to guarantee not forwarding the BGP advertisement (even if the update is marked as Not Forward).
Can someone elaborate why? Thanks, Linda Dunbar P.s. a new mailing list has been created to for discussing the risks associated with various simplification of IPsec protocol by utilizing SD-WAN central controller. The traditional IPsec scheme requires that in a fully meshed network, each device has to manage n2 key exchanges and (n-1) keys. As an example, in a 1,000-node network, 1,000,000 key exchanges are required to authenticate the devices, and each node is responsible for maintaining and managing 999 keys. In addition, when an edge node has multiple tenants attached, the edge node has to establish multiple tunnels for tenants. For example, for a network with N nodes, a node A has 5 tenants app attached to it, then the node A has to maintain 5*(N-1) number of keys if each tenant needs to communicate with all other nodes. Therefore, simplification facilitated by SD-WAN controller is needed for large scale deployment. However, it is necessary identify the associated risks, so that the industry can make the informed decision on risks that can be tolerated for their specific environment. To subscribe:: https://www.ietf.org/mailman/listinfo/sdwan-sec
_______________________________________________ rtgwg mailing list [email protected] https://www.ietf.org/mailman/listinfo/rtgwg
