tcp md5 bgp attacks?

Jared Mauch jared at puck.nether.net
Wed Aug 15 00:08:47 UTC 2018


> On Aug 14, 2018, at 8:04 PM, Randy Bush <randy at psg.com> wrote:
> 
> follow-on question:
> 
> anyone using the timed key-chain stuff?

I’ve looked at it, hear it works, but not been willing to take the hit for any transition.

I talked about some of this and other challenges at SAAG WG at IETF 101.  Transport area has some possible interesting things, but similar to what Haas said, TCP-AO isn’t really viable yet, and we need something that’s stable enough to last 5-7 years, which is very different from a HTTP transaction that may live only a few seconds.

We have some places where we could transition non-BGP protocols and rotate the key, but last I recall it was only there on a single vendor so multi-vendor posed some challenges.

- Jared



More information about the NANOG mailing list