Inurl draft guidelines for mandating the use of ipsec Free only chat with horny girls
All RFCs are required to have a Security Considerations section.Historically, such sections have been relatively weak.It is likely that another impediment to authors who are experts in other areas (NOT security experts) writing the security considerations section of their document is that they might not fully understand how security protocols could or might be used (for example, whether IPsec and associated key management protocols can operate using *only* packet exchange between directly attached systems, or if there needs to be packets exchanged with other not-directly-attached systems). I see this document clearly making the case that "just use IPsec" is not sufficient.However, I don't see it as being sufficient in the more important point of helping authors understand what they need to write instead.[Ballot discuss]The introductions says: This document offers some guidance on when IPsec should and should not be specified.If we are going to be talking about *mandating* security mechanisms for use in routing protocols (BGP is used as an example in this document -- a good example since IPsec is in fact currently used in this way in some cases), and if IPsec is the only security mechanism discussed in the document, then I think that we need a more balanced discussion of what can, and what cannot, be accomplished by IPsec.In addition, the document talks about automated key management.
However, I don't see it as being sufficient in the more important point of helping authors understand what they need to write instead.[Ballot discuss][As part of the AD transition, I am assuming Sam Hartman's discuss.]Also, please note that section 8 of this specification only coversn IKEV1.
This leads to the question: Who is the intended audience for this document?
It seems clear that it is not security experts, since in general security experts (and even many non-security experts) will already fully understand the entirely reasonable main point that "Just Use IPsec" is very much *not* a valid "security considerations" section for any protocol specification.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.
It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ‘‘work in progress.’’ To learn the current status of any Internet-Draft, please check the ‘‘1id-abstracts.txt’ ’ listing contained in the Internet-Drafts Shadow Directories on (Africa), nic.(Europe), au (Pacific Rim), org (US East Coast), or edu (US West Coast).
However, the vast majority of attacks that I have heard have actually occurred against routers fall into three categories: (i) DDOS against the control plane; (ii) Bad password selection; (iii) Accidental mis-configuration by well-intended and properly authorized network operators. In fact, in order to protect against (i), it is at least desirable to set things up so that hackers can't send any packet *to* the router's control plane at all, which reduces the value that results from authentication of packets to the router's control plane.