[90904] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Tue Jun 20 15:35:01 2006
In-Reply-To: <17560.19239.35424.298456@roam.psg.com>
Cc: NANOG list <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 20 Jun 2006 21:33:12 +0200
To: Randy Bush <randy@psg.com>
Errors-To: owner-nanog@merit.edu
On 20-jun-2006, at 21:23, Randy Bush wrote:
>> What if we agree to change the key on our BGP session, I add the new
>> key on my side and start sending packets using the new key, while you
>> don't have the new key in your configuration yet?
> again: try reading the draft
I've read the draft and it "solves" this problem with timing. That's
insufficient because it requires that both sides do the right thing
at the right time without any way to verify whether the other side is
ready. What if one side didn't make the change, or entered the wrong
key?
I think I've sufficiently explained myself now, I'm not going to do
it again.
