[c-nsp] 6509 IPv6 OSPF Auth
Ge Moua
moua0100 at umn.edu
Fri Feb 18 14:14:40 EST 2011
I agree with Nick's well written point. That is why I like a link-state
IGP like IS-IS where one does have the option of running IPv6 with
authentication and not have to worry about different versions of said
dynamic routing protocol, but this is clearly deviating from the initial
question/issue.
--
Regards,
Ge Moua
Network Design Engineer
University of Minnesota | OIT - NTS
--
On 2/18/11 12:36 PM, Nick Hilliard wrote:
> On 18/02/2011 17:51, Justin Krejci wrote:
>> Yeah... I guess no one would ever use IPv6 with OSPF until IPv6 feature
>> sets are completely matured on all platforms of every major vendor. Or
>> maybe no vendor should release any v6 support until every feature was
>> 100% v6 enabled.
>
> I don't think that was the problem. The IETF wonks saw MD5
> authentication on OSPFv2 as a dirty hack, rather than as a quick and
> easy means of providing a 99.99% solution to OSPF authentication.
> Instead, they wanted a 100% solution, and in their opinion IPsec was
> the way to do this because it provided a cryptographically sound
> framework for authentication and encryption services. So they
> mandated that there should be no MD5 authentication for OSPFv3, just
> IPsec.
>
> As hooking anything into IPsec tends to be difficult (there is no
> standardised API, and it's a pretty gargantuan framework), ospfv3
> authentication is not implemented on many platforms.
>
> Perfection is the enemy of good enough.
>
> Nick
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list