draft-iesg-tcpmd5app-01.txt
Interestingly, when the work was going on for the new, soon to appear, BGP4 RFC,
many BGP sessions had no security at all but a spate of attacks about two years
ago caused many if not most to turn on MD5; I saw evidence of this in
presentations to RIPE.
RPsec is currently considering a charter update to include a draft for
point-to-point security for all protocols, including the replacement of
MD5. No draft yet, but volunteers are welcome. :-)
rpsec appeared to be the forum to move this on further but seems stalled with
two (or more) diametrically opposed views; whether or not the IETF has a process
to progress this I await with interest (perhaps it goes under the name of sidr).
Actually, I would characterize the impasse in rpsec as two things:
-- Not enough participants. We're down to 7 votes, in the last vote on
the idr requirements doc. Since people aren't going to "change sides" at
this point, we probably need more participation to form a wide concensus.
-- Three basic viewpoints:
-- The BGP specification should be taken as a process explaining how
routes should be handled. Security mechanisms should ensure that process
takes place on every router.
-- The BGP specificiation should be taken to describe a system that
distributes routing information throughout an internetwork. Security
mechanisms should ensure the accuracy of the data, including some bits
of policy, at least (origin authentication being the strongest example).
The point is to make certain the information advertised matches reality.
-- The entire concept of doing some new system or protocol enhancement
to "secure" BGP is off on the wrong track. We should just focus on quick
fixes, and worry about replacing BGP.
The last vote seems to have fallen along three lines.... All of the
folks in the first camp voted against it. Some of the folks in the
second camp voted for it, while others voted against it, because of
"nits" or because "it doesn't cover x well enough." I think we'll always
get those, and I don't know that we'll ever actually make it perfect
enough, in those sorts of senses. All of the folks in the last camp
voted against it, saying we don't need requirements at all.
That seems to be the status at the moment, or at least my perception of
it (which could be wrong).
:-)
Russ
--
[EMAIL PROTECTED] CCIE <>< Grace Alone
_________________________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/grow.html
web archive: http://darkwing.uoregon.edu/~llynch/grow/
