gtaylor at tnetconsulting.net
Sun Nov 18 19:04:57 UTC 2018
Warning: n00b level question, ignore at your own discretion.
On 11/18/18 3:59 AM, Saku Ytti wrote:
> Not arguing that MacSec isn't superior feature, it's just cost of MacSec
> is non-trivial compared to cost of HMAC-MD5, and it seems HMAC-MD5
> for certain attacks is strong guarantee. Ideally we'd implement TCP-AO
> (RFC5925) to replace BGP HMAC-MD5, just to get derived secret instead
> of static (how many change their MD5 secret periodically?) but it looks
> like ship may have sailed on that one.
Is it not possible to protect (just) the eBGP with IPsec?
I would think that IPsec would provide the desired protection and that
tuning filters to the proper ports would reduce the overhead that MACsec
might incur with all traffic being encrypted.
Does anyone have any real world experience to offer this n00b?
Thank you in advance.
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
More information about the NANOG