[belatedly] On 12 mei 2009, at 21:42, Phillip Hallam-Baker wrote:
As for adding IPSEC to BGP, I would not want to comment on the competence of the person involved.
We need to replace the MD5 hack with IPsec, because MD5 doesn't have any DoS potection, crypto algorithm agility or key rollover mechanisms. But of course that only protects your BGP sessions, not the content of the information in those sessions.
In particular I find it utterly unbelievable that large backbone corporation A is going to configure its border routers to simply accept routing information from large backboe corporation B. If I was responsible for large corporation A then every piece of external routing data would be funnelled into a control center and the edge routers would only respond to control instructions from the control center. No matter what specifications and standards might opine, that is how I would run my network.
Sounds like a plan. Now explain to us how your control center knows which routing information is valid and which isn't? You have in the order of 30 seconds to decide for every update before your customers start to complain that "the internet" is broken.
_______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf