North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Iljitsch van Beijnum
  • Date: Tue Jun 20 15:34:58 2006

On 20-jun-2006, at 21:23, Randy Bush wrote:

What if we agree to change the key on our BGP session, I add the new
key on my side and start sending packets using the new key, while you
don't have the new key in your configuration yet?

again: try reading the draft
I've read the draft and it "solves" this problem with timing. That's insufficient because it requires that both sides do the right thing at the right time without any way to verify whether the other side is ready. What if one side didn't make the change, or entered the wrong key?

I think I've sufficiently explained myself now, I'm not going to do it again.