[100730] in North American Network Operators' Group
Re: bgp protection
daemon@ATHENA.MIT.EDU (Randy Bush)
Tue Nov 6 17:52:34 2007
From: Randy Bush <randy@psg.com>
Date: Mon, 5 Nov 2007 15:52:07 -0800
To: North American Network Operators Group <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
at the end of nanog, i sent two messages.
<http://www.merit.edu/mail.archives/nanog/msg03741.html> was a
minor side note re 204/4 , about which we can all really do nothing
for many years. it engendered the thread from hell.
<http://www.merit.edu/mail.archives/nanog/msg03735.html> was
regarding getting vendors to implement rfc 4808, about which we can
do something, and which i think would be rather useful in actual
operation of our networks. not a single comment ensued.
the key chunk of the latter is
> at nanog san jose, steve bellovin presented a simple proposal for bgp
> tcp/md5 re-keying. it is now rfc 4808 "Key Change Strategies for
> TCP-MD5." this allows us to install and/or roll keys without disturbing
> the bgp session. and it is trivial for vendors to implement and for
> operators to use.
>
> imiho, until it is easy for us to use ipsec, or some other wonderful
> universal solution, that we implement and deploy rfc 4808. it will
> solve 95% of our problem for the next five years while more
> sophisticated scheme(s) can be developed.
i again plead for folk to look at rfc 4808 and consider whacking
our vendors to implement.
randy