Hi Sandy, The idea is that I am trying to state is the use of authentication at 2 levels (in BTNS they skip the authentication at the IKE exchange altogather - and do it at a different layer if possible). At the first level we use GTSM as the first filter for IKE itself and once the system adjacencies are up we actually can use the full authentication/ any other form of authentication (so that reachability information is there).
By doing this we may trust a peer entity but only for sometime, when the adjacencies come up we have the option of doing a full authentication. Regarding the issues with the way things work currently (which will be mitigated) you can always look at the draft I have written. Thanks, Vishwas On 9/30/08, Sandy Murphy <[EMAIL PROTECTED]> wrote: >>I agree to what you say and the general sense of the room in the KMART BOF. >>That is the reason I proposed a BTNS based solution. Which uses GTSM >>in the IKe to do the first level security. > > I am not quite sure I understand the use of GTSM here. The need for > authentication for OSPF is that you don't trust that everyone on the > local broadcast link is OK. GTSM tells you that the sender came from > one-hop away, i.e., on the local broadcast link. Since you already know > that you don't trust everyone one-hop away, how does the use of GTSM > help? > > --Sandy > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
