On Apr 6, 2011, at 5:46 PM, Randy Bush wrote: >> Getting a new application (such as the rtr protocol) specifying >> hmac-md5 mandatory to implement through a Secdir review and then the >> Security ADs just won't happen. The only exception I can think of is >> if there were no possible alternatives, and that's obviously not the >> case here. > > with AO not implemented on any servers, routers not having ssh > libraries, and this being a server to router protocol, what are the > alternatives? > > randy
I'm surprised IPsec hasn't been mentioned in this thread ... was it previously discussed and rejected? Correct me if I'm wrong, but I believe it's common for BGP routers to support IPsec and servers definitely support IPsec. On the router side, one or two IPsec sessions to servers should not be a burden. I'm less sure of the server IPsec scaling properties, but I would expect a LINUX or BSD kernel to have the scaling issues as were discussed earlier in this thread regarding SSH but I'm no expert here. Brian _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
