[90877] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Mon Jun 19 09:46:39 2006
In-Reply-To: <20060619083218.baf18251.smb@cs.columbia.edu>
Cc: NANOG list <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 19 Jun 2006 15:40:50 +0200
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Errors-To: owner-nanog@merit.edu
On 19-jun-2006, at 14:32, Steven M. Bellovin wrote:
> I just submitted an I-D on TCP-MD5 key change. Until it shows up
> in the
> official repository, see
> http://www.cs.columbia.edu/~smb/papers/draft-bellovin-
> keyroll2385-00.txt
> Here's the abstract:
> The TCP-MD5 option is most commonly used to secure
> BGP sessions between routers. However, changing
> the long-term key is difficult, since the change
> needs to be synchronized between different
> organizations.
> We describe single-ended strategies that will permit
> (mostly) unsynchronized key changes.
> Comments welcome.
I wonder how long that policy will hold. (-:
Ok:
First of all, I applaud this effort.
There doesn't really seem to be a way to introduce a new key other
than to just to agree on a time. I'm not sure this is good enough.
Wouldn't it be better to exchange some kind of "time to change keys"
message? This could simply be a new type of BGP message that hold a
key ID. Obviously the capability to send and receive these messages
must be negotiated when the session is created, but still, I think
the extra complexity is worth it because it allows for much more
robust operation.
And is NANOG now officially an IETF working group...?
Iljitsch
