|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical bgp protection
at nanog san jose, steve bellovin presented a simple proposal for bgp tcp/md5 re-keying. it is now rfc 4808 "Key Change Strategies for TCP-MD5." this allows us to install and/or roll keys without disturbing the bgp session. and it is trivial for vendors to implement and for operators to use. imiho, until it is easy for us to use ipsec, or some other wonderful universal solution, that we implement and deploy rfc 4808. it will solve 95% of our problem for the next five years while more sophisticated scheme(s) can be developed. so i propose we ask our vendors to please implement 4808, which should be far simpler than the other hacks they seem to be adding, and that those of us who care enough to use data integrity assurance on our bgp peerings deploy it. kierkegaard nietzsche you are a stoopid schmuck kant :) randy
|