nanog mailing list archives

Re: key change for TCP-MD5

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Mon, 19 Jun 2006 09:47:56 -0400


On Mon, 19 Jun 2006 08:59:45 -0400, Joe Maimon <jmaimon () ttec com> wrote:



Steven M. Bellovin wrote:

I just submitted an I-D on TCP-MD5 key change.  Until it shows up in the
official repository, see
http://www.cs.columbia.edu/~smb/papers/draft-bellovin-keyroll2385-00.txt
Here's the abstract:

                The TCP-MD5 option is most commonly used to secure
                BGP sessions between routers.  However, changing
                the long-term key is difficult, since the change
                needs to be synchronized between different
                organizations.
                We describe single-ended strategies that will permit
                (mostly) unsynchronized key changes.


Comments welcome.

            --Steven M. Bellovin, http://www.cs.columbia.edu/~smb


This I-D says BGP implementations should be able to be configured with 
multiple keys for peers and should do the Intelligent Thing with them.

Makes sense to me.

Did I read it right?

Yes.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

key change for TCP-MD5 Steven M. Bellovin (Jun 19)
- Re: key change for TCP-MD5 Joe Maimon (Jun 19)
  - Re: key change for TCP-MD5 Steven M. Bellovin (Jun 19)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
  - Re: key change for TCP-MD5 Jared Mauch (Jun 19)
  - Re: key change for TCP-MD5 Steven M. Bellovin (Jun 19)
    - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
  - Re: key change for TCP-MD5 Randy Bush (Jun 19)
    - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
    - Re: key change for TCP-MD5 Randy Bush (Jun 19)
    - Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
  - Re: key change for TCP-MD5 Edward B. DREGER (Jun 19)
- Message not available
  - Re: key change for TCP-MD5 Steven M. Bellovin (Jun 22)

(Thread continues...)