[c-nsp] 6509 IPv6 OSPF Auth
Nick Hilliard
nick at foobar.org
Fri Feb 18 13:36:32 EST 2011
On 18/02/2011 17:51, Justin Krejci wrote:
> Yeah... I guess no one would ever use IPv6 with OSPF until IPv6 feature
> sets are completely matured on all platforms of every major vendor. Or
> maybe no vendor should release any v6 support until every feature was
> 100% v6 enabled.
I don't think that was the problem. The IETF wonks saw MD5 authentication
on OSPFv2 as a dirty hack, rather than as a quick and easy means of
providing a 99.99% solution to OSPF authentication. Instead, they wanted a
100% solution, and in their opinion IPsec was the way to do this because it
provided a cryptographically sound framework for authentication and
encryption services. So they mandated that there should be no MD5
authentication for OSPFv3, just IPsec.
As hooking anything into IPsec tends to be difficult (there is no
standardised API, and it's a pretty gargantuan framework), ospfv3
authentication is not implemented on many platforms.
Perfection is the enemy of good enough.
Nick
More information about the cisco-nsp
mailing list