BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

• Previous message (by thread): BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
• Next message (by thread): BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/21/2019 1:25 PM, Brandon Martin wrote:
> Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and difficulty of configuration aside)?  It would also solve the TCP-RST injection issues that TCP-MD5 was intended to resolve.  You can use null encryption with ESP or even just AH if you want authentication without confidentiality, too.  Or are we all going to admit that ipsec is almost dead in that it's just too darned complex?  Just run BGP over TCP as normal and install a security policy that says it must use ipsec with appropriate (agreed-upon) authentication.  "Just", right?

I've used BGP over IPSec before in my labs between EdgeRouter models for 
testing purposes.

Other then making sure there is either a connected route or static route 
(if doing multihop) to the other side, its works.  But like you said, 
interop issues and all may cause issues...

Speaking of issues, if you run StrongSwan for IPSec with BGP on the same 
router/system, make sure to disable charon's processing of routes or 
you'll be burning major CPU cycles.  See:

https://wiki.strongswan.org/issues/1196


-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org

• Previous message (by thread): BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
• Next message (by thread): BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]