nanog mailing list archives

RE: BGP over TLS

From: Robert McKay <robert () mckay com>
Date: Mon, 21 Oct 2019 16:44:28 +0100

On 2019-10-21 16:30, Keith Medcalf wrote:

On 21/10/19 6:30 pm, Bjørn Mork wrote:

Yes, and I really like Julien's proposal.  It even looks pretty
complete. There are just a few details missing around how to makethe
MD5 => TLS transition smooth.

At least for those systems that run on Linux (which is most all of the

major's except Juniper) I suspect if we went to the relevant kernelfolk

with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.


Why do you need to do anything?  TLS is Transport Layer Security and
it's sole purpose is to protect communications from eavesdropping or
modification by wiretappers on/in the line between points A and B.
MD5 in BGP is used for authentication (rudimentary, but authentication
nonetheless).

Why cannot one just put the MD5 authenticated connection inside a TLS
connection?  What is the advantage to be gained by replacing the
authentication mechanism with weaker certificate authentication method
available with TLS?

The MD5 authentication is built into TCP options.. not obvious how youwould transport it over TLS which afaik doesn't offer similarfunctionality.

You'd probably have to basically tunnel TCP frames inside TLS, whichdoesn't really sound ideal (reimplement TCP in userspace?)

Either that or maybe use some other simpler MD5 based authentication(unrelated to the TCP implementation currently used in BGP).. but thenthat raises lots of questions like why even use MD5.

Rob

Current thread:

Re: "Using Cloud Resources to Dramatically Improve Internet Routing", (continued)
- - - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Dennis Lundström (Oct 10)
  - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Hank Nussbacher (Oct 07)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Bjørn Mork (Oct 20)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Julien Goodwin (Oct 20)
    - Message not available
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Bjørn Mork (Oct 20)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Christopher Morrow (Oct 20)
    - BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Bjørn Mork (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Julien Goodwin (Oct 21)
    - RE: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Keith Medcalf (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Radu-Adrian Feurdean (Oct 21)
    - RE: BGP over TLS Robert McKay (Oct 21)
    - RE: BGP over TLS Keith Medcalf (Oct 21)
    - Re: BGP over TLS Joe Abley (Oct 21)
    - Re: BGP over TLS Tony Finch (Oct 21)
    - Re: BGP over TLS Jared Mauch (Oct 21)
    - Re: BGP over TLS Grant Taylor via NANOG (Oct 21)
    - Re: BGP over TLS Julien Goodwin (Oct 22)
    - Re: BGP over TLS Christopher Morrow (Oct 22)
    - RE: BGP over TLS Keith Medcalf (Oct 22)
    - Re: BGP over TLS Chris Adams (Oct 22)
    - Re: BGP over TLS Brandon Martin (Oct 22)

(Thread continues...)