Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: key change for TCP-MD5

  • From: Bora Akyol
  • Date: Fri Jun 23 17:08:58 2006

Assumptions, assumptions.

If your IPSEC is being done in hardware and you have appropriate QoS
mechanisms
in your network, you will probably not be able to pass your best effort
traffic but the rest should be OK.

Can we get back to the regularly scheduled programming
instead of throwing big numbers around?
 
Barry had a point, if you do IPSEC stupidly, it does not protect you.
If you pay attention to detail, it does help. It is not the panacea.

For the purpose of securing BGP, I think IPSEC is easy to configure (at
least on IOS which is what I'm used to), and will do the job. And for
this application, I don't see why cert's can't be used either.

Regards

Bora


> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] 
> Sent: Friday, June 23, 2006 1:46 PM
> To: Bora Akyol
> Cc: Barry Greene (bgreene); Ross Callon; nanog@merit.edu
> Subject: Re: key change for TCP-MD5
> 
> On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said:
> 
> > The validity of your statement depends tremendously on how IPSEC is 
> > implemented.
> 
> If 113 million packets all show up at once, you're going to 
> get DoS'ed, whether or not you have IPSEC enabled.
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.