nanog mailing list archives
Re: IGP protocol
From: Grant Taylor via NANOG <nanog () nanog org>
Date: Sun, 18 Nov 2018 12:04:57 -0700
Warning: n00b level question, ignore at your own discretion. On 11/18/18 3:59 AM, Saku Ytti wrote:
Not arguing that MacSec isn't superior feature, it's just cost of MacSec is non-trivial compared to cost of HMAC-MD5, and it seems HMAC-MD5 for certain attacks is strong guarantee. Ideally we'd implement TCP-AO (RFC5925) to replace BGP HMAC-MD5, just to get derived secret instead of static (how many change their MD5 secret periodically?) but it looks like ship may have sailed on that one.
Is it not possible to protect (just) the eBGP with IPsec?I would think that IPsec would provide the desired protection and that tuning filters to the proper ports would reduce the overhead that MACsec might incur with all traffic being encrypted.
Does anyone have any real world experience to offer this n00b? Thank you in advance. -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- SV: IGP protocol, (continued)
- SV: IGP protocol Gustav Ulander (Nov 14)
- Re: IGP protocol James Bensley (Nov 15)
- Re: IGP protocol Alain Hebert (Nov 13)
- Re: IGP protocol Saku Ytti (Nov 13)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Alfie Pates (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Nick Hilliard (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Grant Taylor via NANOG (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Saku Ytti (Nov 18)
- Re: IGP protocol Mark Tinka (Nov 19)
- Re: IGP protocol Mark Tinka (Nov 18)
- Re: IGP protocol Jay Nugent (Nov 16)
- Re: IGP protocol Matt Erculiani (Nov 16)