At the same time, you are not going to find the SP core
swapping out
their equipment for hardware with crypto chips. SPs do not
seem to want
to pay for this sort of addition. So even new equipment is
not getting
hardware crypto that can be used.
So a BGP IPSEC option has to work with what hardware we've
got deployed
today - not wishing the community would "just
upgrade."
> -----Original Message-----
> From: Bora Akyol [mailto:bora broadcom.com]
> Sent: Friday, June 23, 2006 2:02 PM
> To: Valdis.Kletnieksvt.edu
> Cc: Barry Greene (bgreene); Ross Callon; nanogmerit.edu
> Subject: RE: key change for TCP-MD5
>
> Assumptions, assumptions.
>
> If your IPSEC is being done in hardware and you have
> appropriate QoS mechanisms in your network, you will
probably
> not be able to pass your best effort traffic but the
rest
> should be OK.
>
> Can we get back to the regularly scheduled programming
> instead of throwing big numbers around?
>
> Barry had a point, if you do IPSEC stupidly, it does
not protect you.
> If you pay attention to detail, it does help. It is not
the panacea.
>
> For the purpose of securing BGP, I think IPSEC is easy
to
> configure (at least on IOS which is what I'm used to),
and
> will do the job. And for this application, I don't see
why
> cert's can't be used either.
>
> Regards
>
> Bora
>
>
> > -----Original Message-----
> > From: Valdis.Kletnieksvt.edu
[mailto:Valdis.Kletnieksvt.edu]
> > Sent: Friday, June 23, 2006 1:46 PM
> > To: Bora Akyol
> > Cc: Barry Greene (bgreene); Ross Callon; nanogmerit.edu
> > Subject: Re: key change for TCP-MD5
> >
> > On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said:
> >
> > > The validity of your statement depends
tremendously on
> how IPSEC is
> > > implemented.
> >
> > If 113 million packets all show up at once,
you're going to get
> > DoS'ed, whether or not you have IPSEC enabled.
> >
>
|