Re: BGP as Draft vs. RFC 2385

[Alex Zinin <zinin@psg.com>]

It seems that we do have better transport-level security
alternative, e.g. TLS. Running BGP over IPSec is also an
option.

The issue is that the spec can't just say "MUST implement
TLS/IPsec" as the real implementations and deployments do
not, and given the specific's of BGP's threat model and
painfulness of moving the routing infrastructure to a new
transport, migrating to a new security algorithm is
operationally not justified.

In other words, TCP-MD5 as a separate security mechanism
taken out of the routing context looks behind and shouldn't
be pushed to along the STD track. However, when considered
within the routing context, it does make sense.

BTW, 2385 does put TCP-MD5 within the routing context, so
maybe one way to go would be to put it in the BGP package
as a BGP security mechanism and enrich the text to explain
the details of routing realities....

Thoughts?

-- 
Alex

Wednesday, March 19, 2003, 10:18:24 AM, Wijnen, Bert (Bert) wrote:
>> 
>> we shipped SNMP to Full without replacing DES.
>> 
> But we made it a condition that work on AES support would
> commence immediate and it has indeed started. 
> It is in fact getting close to be ready for Last Call

> Bert