Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Randy Bush
  • Date: Wed Jun 21 12:00:16 2006

>> All the multiple keys do is to decrease the cost of the DOS.
> Yes

let's try to remember that, in reality, this is all about allowing
two bgp peers to move to a new key without having the operators on
the phone to keep the bgp session from resetting.  i.e.,

  o it will be uncommon that there is more than one key active
    at any one time

  o it is not expected that there are more than two, current and
    new (soon to be current and old:-) active at any one time

smb is proposing a simple, compatible, unilaterally implementable,
and unilaterally deployable hack to solve a real ops problem.

the RSs aside, a lot of very big and small networks use tcp/md5 on
their bgp sessions, and key roll is a major pita and therefore a
serious barrier to good key hygiene.

randy





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.