BGP over TLS

Mon Oct 21 16:05:41 UTC 2019

On Monday, 21 October, 2019 09:44, Robert McKay <robert at mckay.com> wrote:

>On 2019-10-21 16:30, Keith Medcalf wrote:

>> Why do you need to do anything?  TLS is Transport Layer Security and
>> it's sole purpose is to protect communications from eavesdropping or
>> modification by wiretappers on/in the line between points A and B.
>> MD5 in BGP is used for authentication (rudimentary, but authentication
>> nonetheless).

>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection?  What is the advantage to be gained by replacing the
>> authentication mechanism with weaker certificate authentication method
>> available with TLS?

>The MD5 authentication is built into TCP options.. not obvious how you
>would transport it over TLS which afaik doesn't offer similar
>functionality.

AHA!  I understand now and sit corrected.  I was under the mistaken impression that MD5 authentication was an application level thing, not a TCP level thing.

>You'd probably have to basically tunnel TCP frames inside TLS, which
>doesn't really sound ideal (reimplement TCP in userspace?)

>Either that or maybe use some other simpler MD5 based authentication
>(unrelated to the TCP implementation currently used in BGP).. but then
>that raises lots of questions like why even use MD5.

You are correct.  There is no point in using or moving the current MD5 authentication method when it can just be "turned off" and some (perhaps better alternate) authentication method used as provided by the TLS wrapper.  This of course presumes that if one turns off MD5 that the additional TCP option header is not used ...

-- 
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.