[90907] in North American Network Operators' Group
Re: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jun 20 15:55:40 2006
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: Bora Akyol <bora@broadcom.com>, NANOG list <nanog@merit.edu>
In-Reply-To: Your message of "Tue, 20 Jun 2006 21:16:05 +0200."
<950F7B60-6DCA-4B0D-8262-869280833893@muada.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Jun 2006 15:53:51 -0400
Errors-To: owner-nanog@merit.edu
--==_Exmh_1150833231_3210P
Content-Type: text/plain; charset=us-ascii
On Tue, 20 Jun 2006 21:16:05 +0200, Iljitsch van Beijnum said:
> What if we agree to change the key on our BGP session, I add the new
> key on my side and start sending packets using the new key, while you
> don't have the new key in your configuration yet?
How is that *any* different than you sending an e-mail saying "Here's the new
key we'll put into production at 3:17:04.97 GMT, hope you're NTP-synced" and
not waiting for an ACK from the other end before proceeding?
I'd encourage my competitors to design their procedures that way, but it only
works for competitors that you aren't either peering or directly transiting
with. Otherwise, you're merely handing them a loaded gun to point at your
feet...
--==_Exmh_1150833231_3210P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFEmFJPcC3lWbTT17ARAqndAJ9UpTtYSAx1TqpOhnWFWPMIIZ6cQQCfQfPU
abRdO4wFM29ayyMO0/45124=
=O4z8
-----END PGP SIGNATURE-----
--==_Exmh_1150833231_3210P--
