[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Applications over IPsec



At 06:53 AM 4/18/2006, Stephen Kent wrote:
At 6:09 PM -0700 4/17/06, Vishwas Manral wrote:
Hi Stephen,

I see issues in drafts using IPsec then:
<http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt>http://www.ietf.org/internet-drafts/draft-ietf-ospf-ospfv3-auth-08.txt states that transport mode is a MUST and Tunnel mode is a MAY. This is more related to RFC4301 though.

Regarding the algorithms to be supported for ESP and AH(RFC4305), I will add a clear recommendation for applications to use.

Thanks,
Vishwas


yes, I am aware of the OSPFv3 security I-D. The MUST vs. MAY re tunnel and transport modes does not bother me. These folks are defining what an OSPF router has to do as a HOST in the routing environment, not as a GATEWAY. The same would be tyrue if one employed IPsec to protect BGP sessions.

The bigger problem is that OSPF needs multicast support and we don't have what they need. The MSEC WG did not provide the necessary extensions to the SPD and SAD to accommodate multicast uses ala OSPF. Thus the OSPF folks tried to make do with what was defined, and the result is not pretty.

As I read through this thread, I will try and respond to the MSEC work on IPsec extensions. There is in fact work underway on Russ's request to provide extensions to IPsec to support multicast. We've never received requirements from the OSPF group. I recall someone (Sandy perhaps) making a statement at some point that there is interest from the OSPF WG. I will ping the OSPF chairs today to see what's up.

thanks and regards,
Lakshminath


Steve
_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec


_______________________________________________
Ipsec mailing list
Ipsec@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ipsec