BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
Brielle
bruns at 2mbit.com
Mon Oct 21 19:42:13 UTC 2019
On 10/21/2019 1:25 PM, Brandon Martin wrote:
> Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5 was intended to resolve. You can use null encryption with ESP or even just AH if you want authentication without confidentiality, too. Or are we all going to admit that ipsec is almost dead in that it's just too darned complex? Just run BGP over TCP as normal and install a security policy that says it must use ipsec with appropriate (agreed-upon) authentication. "Just", right?
I've used BGP over IPSec before in my labs between EdgeRouter models for
testing purposes.
Other then making sure there is either a connected route or static route
(if doing multihop) to the other side, its works. But like you said,
interop issues and all may cause issues...
Speaking of issues, if you run StrongSwan for IPSec with BGP on the same
router/system, make sure to disable charon's processing of routes or
you'll be burning major CPU cycles. See:
https://wiki.strongswan.org/issues/1196
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
More information about the NANOG
mailing list