At the same time, you are not going to find the SP core swapping out their equipment for hardware with crypto chips. SPs do not seem to want to pay for this sort of addition. So even new equipment is not getting hardware crypto that can be used. So a BGP IPSEC option has to work with what hardware we've got deployed today - not wishing the community would "just upgrade."
-----Original Message----- From: Bora Akyol [mailto:bora@broadcom.com] Sent: Friday, June 23, 2006 2:02 PM To: Valdis.Kletnieks@vt.edu Cc: Barry Greene (bgreene); Ross Callon; nanog@merit.edu Subject: RE: key change for TCP-MD5
Assumptions, assumptions.
If your IPSEC is being done in hardware and you have appropriate QoS mechanisms in your network, you will probably not be able to pass your best effort traffic but the rest should be OK.
Can we get back to the regularly scheduled programming instead of throwing big numbers around?
Barry had a point, if you do IPSEC stupidly, it does not protect you. If you pay attention to detail, it does help. It is not the panacea.
For the purpose of securing BGP, I think IPSEC is easy to configure (at least on IOS which is what I'm used to), and will do the job. And for this application, I don't see why cert's can't be used either.
Regards
Bora
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Friday, June 23, 2006 1:46 PM To: Bora Akyol Cc: Barry Greene (bgreene); Ross Callon; nanog@merit.edu Subject: Re: key change for TCP-MD5
On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said:
The validity of your statement depends tremendously on how IPSEC is implemented.
If 113 million packets all show up at once, you're going to get DoS'ed, whether or not you have IPSEC enabled.
On Sat, Jun 24, 2006 at 02:51:57AM -0700, Barry Greene (bgreene) wrote:
At the same time, you are not going to find the SP core swapping out their equipment for hardware with crypto chips. SPs do not seem to want to pay for this sort of addition. So even new equipment is not getting hardware crypto that can be used.
As with everything else, it needs to actually add useful features that makes a SP's life easier, not just be another vector for an extra line item and a higher total on the router invoice.
So a BGP IPSEC option has to work with what hardware we've got deployed today - not wishing the community would "just upgrade."
SPs don't see any tangile benefit in BGP IPSEC (and legitimately so), so this will clearly not be a driving factor for them. I guarantee you if you solve a real problem (like say authenticating and managing authorized prefix announcements) and make it faster/better because the router has hardware crypto available, folks will actually start buying new RPs/etc. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
participants (2)
-
Barry Greene (bgreene)
-
Richard A Steenbergen