hrogge at googlemail.com
Thu Apr 22 17:46:40 UTC 2010
Am Donnerstag 22 April 2010 19:43:40 schrieb Juliusz Chroboczek:
> Shouldn't it be possible to run Babel over IPsec in just the same way as
> OSPF? I don't see anything that would make Babel any different than
> OSPF in that respect.
> But I agree with you -- invoking IPsec to solve all network-layer
> security issues was fashionable in the late nineties and early
> noughts, but it turns out to be next to impossible in practice (blame
> the IPsec people). We're now back to the previous style of including
> security provisions in the protocol itself.
IPsec cannot secure the routing protocol against insider attacks (who own at
least one legitimate node).
> So what about Babel? Designing a hop-to-hop security extension should
> be fairly easy, whether you want to do something trivial with symmetric
> keys, or something more exciting similar to SeND (but using the
> router-id, rather than the IPv6 address, to embed the public key). What
> would really be intersting would be some form of end-to-end security,
> similar to SBGP, but I'm not sure that can be done without bloating the
Hop-2-hop security could be done at the link-layer.
1) You can't win.
2) You can't break even.
3) You can't leave the game.
— The Laws of Thermodynamics, summarized
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Babel-users