Radia-

No one has specified IKE/ISAKMP for OSPF. For IPv4 (OSPFv2),
MD5 is the strongest thing available. OSPF for IPv6
(OSPFv3, documented in RFC 2740) runs over IPSEC (AH or ESP).

John

-----Original Message-----
From: Radia Perlman - Boston Center for Networking
[mailto:Radia.PerlmanSUN.COM]
Sent: Monday, July 09, 2001 6:38 PM
To: OSPFDISCUSS.MICROSOFT.COM
Subject: Is there a spec for IKE/ISAKMP for OSPF?

I vaguely remember someone saying that someone specified phase 2 IKE (IPSec)
protocols for creating OSPF security associations. And that there's
also one for RIPv2.

I couldn't find either document. Where are they? (and indeed it's
possible they don't exist)

With the document, I could probably answer the following questions myself,
but if someone knows the answers...

1) Given that OSPF and RIPv2 run on top of IP, and assuming that
   there is a custom IKE phase 2 for OSPF, would an alternate solution
   have been just to run OSPF on top of IPSec? If so, then what would
   be better about a new IKE phase 2 exchange than running OSPF on
   top of IP/IPsec?
2) Is this envisioned for encrypting the OSPF packets or just integrity
   protecting them?
3) What key would be used for authenticating? (presumably a pre-shared key).
   In that case, why not just use keyed MD authentication option, which
   is already there?

Thanks,

Radia

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]