nanog mailing list archives
RE: key change for TCP-MD5
From: Randy Bush <randy () psg com>
Date: Wed, 21 Jun 2006 08:58:56 -0700
All the multiple keys do is to decrease the cost of the DOS.Yes
let's try to remember that, in reality, this is all about allowing
two bgp peers to move to a new key without having the operators on
the phone to keep the bgp session from resetting. i.e.,
o it will be uncommon that there is more than one key active
at any one time
o it is not expected that there are more than two, current and
new (soon to be current and old:-) active at any one time
smb is proposing a simple, compatible, unilaterally implementable,
and unilaterally deployable hack to solve a real ops problem.
the RSs aside, a lot of very big and small networks use tcp/md5 on
their bgp sessions, and key roll is a major pita and therefore a
serious barrier to good key hygiene.
randy
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Warren Kumari (Jun 20)
- Re: key change for TCP-MD5 Randy Bush (Jun 20)
- Re: key change for TCP-MD5 Ross Callon (Jun 21)
- Re: key change for TCP-MD5 David Barak (Jun 21)
- RE: key change for TCP-MD5 Randy Bush (Jun 20)
- Re: key change for TCP-MD5 Jared Mauch (Jun 21)
- Re: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Steven M. Bellovin (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 21)
- Re: key change for TCP-MD5 Niels Bakker (Jun 25)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 26)
- RE: key change for TCP-MD5 Randy Bush (Jun 21)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 21)
- backbone threats [Re: key change for TCP-MD5] Pekka Savola (Jun 26)
- Re: key change for TCP-MD5 Todd Underwood (Jun 23)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 23)