[90932] in North American Network Operators' Group
RE: key change for TCP-MD5
daemon@ATHENA.MIT.EDU (Randy Bush)
Wed Jun 21 11:59:26 2006
From: Randy Bush <randy@psg.com>
Date: Wed, 21 Jun 2006 08:58:56 -0700
To: Ross Callon <rcallon@juniper.net>
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
>> All the multiple keys do is to decrease the cost of the DOS.
> Yes
let's try to remember that, in reality, this is all about allowing
two bgp peers to move to a new key without having the operators on
the phone to keep the bgp session from resetting. i.e.,
o it will be uncommon that there is more than one key active
at any one time
o it is not expected that there are more than two, current and
new (soon to be current and old:-) active at any one time
smb is proposing a simple, compatible, unilaterally implementable,
and unilaterally deployable hack to solve a real ops problem.
the RSs aside, a lot of very big and small networks use tcp/md5 on
their bgp sessions, and key roll is a major pita and therefore a
serious barrier to good key hygiene.
randy
