On Thu, Apr 7, 2011 at 12:30 AM, Brian Weis <[email protected]> wrote: > > On Apr 6, 2011, at 5:46 PM, Randy Bush wrote: > >>> Getting a new application (such as the rtr protocol) specifying >>> hmac-md5 mandatory to implement through a Secdir review and then the >>> Security ADs just won't happen. The only exception I can think of is >>> if there were no possible alternatives, and that's obviously not the >>> case here. >> >> with AO not implemented on any servers, routers not having ssh >> libraries, and this being a server to router protocol, what are the >> alternatives? >> >> randy > > I'm surprised IPsec hasn't been mentioned in this thread ... was it previously
see msgid: Message-ID: <[email protected]> (5-6 messages back in this thread, from me) > discussed and rejected? Correct me if I'm wrong, but I believe it's common for > BGP routers to support IPsec and servers definitely support IPsec. On the it's not a guarantee that all bgp speakers here will have ipsec capable code... for some long time at least one vendor in their 'ISP' code didn't implement ipsec, or ssh for that matter. IPSEC is pretty heavy weight (from a config perspective) for this. Something like AO or MD5 is 'perfect', SSH as proposed does a fine job as well, though has a bugaboo on at least one platform apparently. > router side, one or two IPsec sessions to servers should not be a burden. I'm > less sure of the server IPsec scaling properties, but I would expect a LINUX > or BSD kernel to have the scaling issues as were discussed earlier in this > thread regarding SSH but I'm no expert here. lots of at-scale vpn systems are nothing but crypto-accelerators + linux/bsd underneath... I think there's an aversion to ipsec on routers (complexity and unused codepaths), ssh is 'used all the time' as is tcp-md5, as will (soon?) tcp-AO. What is a reasonable way forward for now, MUST md5 and later when AO is more ubiquitous hammer through an update to the draft? Keeping a MAY for ssh transport? (in the vein of moving this forward since running code exists for both sides of this equation today) -chris > > Brian > _______________________________________________ > sidr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
