On Apr 4, 2011, at 8:18 AM, Randy Bush wrote: >> some folks (not me) suggest that ipsec is the way to go here... (bgp I >> mean) I think one point to keep in mind is that tcp-ao has exactly >> zero implementations... while SSH implementations abound. > > turns out that > > o yfv may have ssh client and server, but they do not have the library > in a form usable by arbitrary apps, e.g. bgp > > o no ao impls on unix, slowlaris, linuxes, ... > > so i would really love to hear from the security folk if we can do > something like hmac-md5 as the mandatory to implement.
Getting a new application (such as the rtr protocol) specifying hmac-md5 mandatory to implement through a Secdir review and then the Security ADs just won't happen. The only exception I can think of is if there were no possible alternatives, and that's obviously not the case here. Brian _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
