North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: key change for TCP-MD5
- From: Randy Bush
- Date: Wed Jun 21 12:00:16 2006
>> All the multiple keys do is to decrease the cost of the DOS.
let's try to remember that, in reality, this is all about allowing
two bgp peers to move to a new key without having the operators on
the phone to keep the bgp session from resetting. i.e.,
o it will be uncommon that there is more than one key active
at any one time
o it is not expected that there are more than two, current and
new (soon to be current and old:-) active at any one time
smb is proposing a simple, compatible, unilaterally implementable,
and unilaterally deployable hack to solve a real ops problem.
the RSs aside, a lot of very big and small networks use tcp/md5 on
their bgp sessions, and key roll is a major pita and therefore a
serious barrier to good key hygiene.