>>>>> "Sam" == Sam Hartman <hartmans-ietf at mit.edu> writes:
Sam> First, note that we are targeting the IPsec architecture described
Sam> in RFC 2401. After discussing draft-bellovin-use-ipsec and my
Sam> experiences with the OSPF V3 authentication draft, Russ and I have
Sam> decided that we cannot ask people to use RFC 4301 to secure
Sam> higher-layer protocols at this time. There aren't enough
To confirm: you telling people to say "RFC2401" rather than "RFC4301"
(Alternative which you are not saying is "do not use IPsec")
Sam> The idea is to include information in BGP routes used to set up the
Sam> tunnels sufficient to let peers know that they want to use IPsec,
Sam> know which identity to authenticate to and what IPsec parameters to
Sam> use. Peers should already know what SPD entries to create because
I question the need for all of these parameters in BGP.
I haven't read the documents yet, but all *I* need to know if the public
key (not certificate) (RSA preferred as I don't support DSA), and the
end-point.
The cryptographic algorithms are negotiable in IKE. If we don't have a
common set, saying so in BGP won't help.
The ID: it's the IP of the end-point.
I suspect that we really want to negotiate a transport mode SA for IP
protocol 4 (or 98 or 94..), not a tunnel mode SA.
We might use MODECFG to assign IP addresses for the virtual interface that
we are creating. In IKEv2, we can actually do that with the TS negotiation.
Sam> The work on what to carry in BGP will be accompanied by a profile of
Sam> IPsec which requires (probably by reference to the IPsec algorithms
Sam> documents) appropriate mandatory algorithms and which specifies how
Sam> to configure the SPD for this application.
Of course, the set of algorithms that one requires will change over time,
so the mandatory set will get stale. Of course, the document will specify at
least 2 of each algorithm so that implementations will have to test actually
switching.
Sam> Now is your chance to scream about the general approach. If you
I like it.
PS: I'm curious Sam: are cleartext or MIME signatures easier for your
text-to-speech to deal with?
--
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
"The Microsoft _Get the Facts CD_ does not work on Linux." - orospakr
Attachment:
pgpkNUXNFZyo4.pgp
Description: PGP signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.