bgp protection

Randy Bush randy at
Mon Nov 5 23:52:07 UTC 2007

at the end of nanog, i sent two messages.

<> was a
minor side note re 204/4 , about which we can all really do nothing
for many years.  it engendered the thread from hell.

<> was
regarding getting vendors to implement rfc 4808, about which we can
do something, and which i think would be rather useful in actual
operation of our networks.  not a single comment ensued.

the key chunk of the latter is

> at nanog san jose, steve bellovin presented a simple proposal for bgp
> tcp/md5 re-keying.  it is now rfc 4808 "Key Change Strategies for
> TCP-MD5."  this allows us to install and/or roll keys without disturbing
> the bgp session.  and it is trivial for vendors to implement and for
> operators to use.
> imiho, until it is easy for us to use ipsec, or some other wonderful
> universal solution, that we implement and deploy rfc 4808.  it will
> solve 95% of our problem for the next five years while more
> sophisticated scheme(s) can be developed.

i again plead for folk to look at rfc 4808 and consider whacking
our vendors to implement.


More information about the NANOG mailing list