On Fri, Feb 18, 2011 at 1:06 PM, Russ White <[email protected]> wrote: > Let me ask you something --does IPsec try to verify the path the packet > takes, or the contents of the packet? If the right solution for IPsec is > to validate the content of the packet, then why is the right solution > for BGP to verify the path of the packet?
because with ipsec the content inside the encrypted payload (or even the content after the AH header) is not intended to be played with by anyone along the path. Detection of bit flippage in the packet is the point of ipsec. BGP requires that folk along the path adjust metrics, communities, localpref (inside their ASNs) etc. It's not appropriate to 'secure the whole of the update' since that can not be done. -chris _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
