key change for TCP-MD5
Iljitsch van Beijnum
iljitsch at muada.com
Mon Jun 19 13:40:50 UTC 2006
On 19-jun-2006, at 14:32, Steven M. Bellovin wrote:
> I just submitted an I-D on TCP-MD5 key change. Until it shows up
> in the
> official repository, see
> http://www.cs.columbia.edu/~smb/papers/draft-bellovin-
> keyroll2385-00.txt
> Here's the abstract:
> The TCP-MD5 option is most commonly used to secure
> BGP sessions between routers. However, changing
> the long-term key is difficult, since the change
> needs to be synchronized between different
> organizations.
> We describe single-ended strategies that will permit
> (mostly) unsynchronized key changes.
> Comments welcome.
I wonder how long that policy will hold. (-:
Ok:
First of all, I applaud this effort.
There doesn't really seem to be a way to introduce a new key other
than to just to agree on a time. I'm not sure this is good enough.
Wouldn't it be better to exchange some kind of "time to change keys"
message? This could simply be a new type of BGP message that hold a
key ID. Obviously the capability to send and receive these messages
must be negotiated when the session is created, but still, I think
the extra complexity is worth it because it allows for much more
robust operation.
And is NANOG now officially an IETF working group...?
Iljitsch
More information about the NANOG
mailing list