[c-nsp] 6509 IPv6 OSPF Auth

[Mack McBride]

Considering the time it will take for anything to get through the IETF process,
Pushing Cisco to add IPSec for OSPFv3 is much preferable and probably faster.
Particularly since it is already on the road map and is working in software routers.
We as a group need to contact our account reps and engineers and try to get the
road map accelerated.  They have working code they just need to commit resources to
porting it.

Mack McBride
Network Architect

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alastair Johnson
Sent: Sunday, February 20, 2011 7:19 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 IPv6 OSPF Auth

On 2/18/2011 10:36 AM, Nick Hilliard wrote:
> On 18/02/2011 17:51, Justin Krejci wrote:
>> Yeah... I guess no one would ever use IPv6 with OSPF until IPv6 feature
>> sets are completely matured on all platforms of every major vendor. Or
>> maybe no vendor should release any v6 support until every feature was
>> 100% v6 enabled.
>
> I don't think that was the problem. The IETF wonks saw MD5
> authentication on OSPFv2 as a dirty hack, rather than as a quick and
> easy means of providing a 99.99% solution to OSPF authentication.
> Instead, they wanted a 100% solution, and in their opinion IPsec was the
> way to do this because it provided a cryptographically sound framework
> for authentication and encryption services. So they mandated that there
> should be no MD5 authentication for OSPFv3, just IPsec.

There is a current draft that proposes to add digest authentication to 
OSPFv3. You might want to support this in the IETF and ask Cisco to 
support it.

http://tools.ietf.org/html/draft-bhatia-manral-auth-trailer-ospfv3-01

aj
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/