Folks,Issue #2 for lisp-ms makes the statement "IPSec is not a good fit for this application.", and I tend to agree. All that seems wanted for the Map-Server is a packet integrity method, and while AH or ESP can provide just that there are some issues: - AH or ESP can complicate getting through firewalls located between the Map Server and ETR. Rules allowing LISP and AH both are needed, and since it's doubtful that an administrator will want to allow all AH in/out, those firewall rules may need to be fairly specific. - The amount of IPsec specificity needed seems more than such a simple mechanism really needs. This is a common complaint for protecting routing protocols.
Would there be support for replacing the use of AH with a simple Authentication Data field in the Map-Register packet? Defining one or more MACs and their usage for this protocol can be straightforward. Key management would most certainly be restricted to manually shared keys for now (which does not address the other part of issue #2), but it can be automated if and when a generalized automated key management method for routing is defined. It's possible that KMART will become a WG and do such a thing, although that isn't guarenteed.
Comments? Brian -- Brian Weis Router/Switch Security Group, ARTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew at cisco.com
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.