nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Mon, 21 Oct 2019 09:30:45 -0600


On 21/10/19 6:30 pm, Bjørn Mork wrote:



Yes, and I really like Julien's proposal.  It even looks pretty
complete.  There are just a few details missing around how to make the
MD5 => TLS transition smooth.



At least for those systems that run on Linux (which is most all of the
major's except Juniper) I suspect if we went to the relevant kernel folk
with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.


Why do you need to do anything?  TLS is Transport Layer Security and it's sole purpose is to protect communications 
from eavesdropping or modification by wiretappers on/in the line between points A and B.  MD5 in BGP is used for 
authentication (rudimentary, but authentication nonetheless).

Why cannot one just put the MD5 authenticated connection inside a TLS connection?  What is the advantage to be gained 
by replacing the authentication mechanism with weaker certificate authentication method available with TLS?

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Previous By Date Next
Previous By Thread Next

Current thread: