IGP protocol

Grant Taylor gtaylor at tnetconsulting.net
Sun Nov 18 19:04:57 UTC 2018

Warning:  n00b level question, ignore at your own discretion.

On 11/18/18 3:59 AM, Saku Ytti wrote:
> Not arguing that MacSec isn't superior feature, it's just cost of MacSec 
> is non-trivial compared to cost of HMAC-MD5, and it seems HMAC-MD5 
> for certain attacks is strong guarantee. Ideally we'd implement TCP-AO 
> (RFC5925) to replace BGP HMAC-MD5, just to get derived secret instead 
> of static (how many change their MD5 secret periodically?)  but it looks 
> like ship may have sailed on that one.

Is it not possible to protect (just) the eBGP with IPsec?

I would think that IPsec would provide the desired protection and that 
tuning filters to the proper ports would reduce the overhead that MACsec 
might incur with all traffic being encrypted.

Does anyone have any real world experience to offer this n00b?

Thank you in advance.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181118/02116da3/attachment.bin>

More information about the NANOG mailing list