nanog mailing list archives
RE: key change for TCP-MD5
From: "Bora Akyol" <bora () broadcom com>
Date: Tue, 20 Jun 2006 12:12:31 -0700
The draft allows you to have a set of keys in your keychain and the implementation tries all of them before declaring the segment as invalid. No time synchronization required. No BGP message required. The added cost for CPU-bound systems is that they have to try (potentially) multiple keys before getting the **right** key but in real life this can be easily mitigated by having a rating system on the key based on the frequency of success. Regards Bora
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Iljitsch van Beijnum Sent: Monday, June 19, 2006 10:22 AM To: Randy Bush Cc: NANOG list Subject: Re: key change for TCP-MD5 On 19-jun-2006, at 19:10, Randy Bush wrote:try reading more carefullyDidn't help...how sad, as the whole document is about how to usefully be able to introduce and roll to new keys without agreeing on a narrow time.Well, as you can tell from my message just now, I don't think going from agreeing on a narrow time to agreeing on a wider time is worth the trouble, especially since by adding a BGP message it would be possible to roll over if and as soon as both sides are ready, removing the "wait for some time and then see whether the other end really installed the new key" part from the proceedings.
Current thread:
- Re: key change for TCP-MD5, (continued)
- Re: key change for TCP-MD5 Steven M. Bellovin (Jun 19)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
- Re: key change for TCP-MD5 Randy Bush (Jun 19)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
- Re: key change for TCP-MD5 Randy Bush (Jun 19)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 19)
- Re: key change for TCP-MD5 Steven M. Bellovin (Jun 19)
- Re: key change for TCP-MD5 Edward B. DREGER (Jun 19)
- Message not available
- Re: key change for TCP-MD5 Steven M. Bellovin (Jun 22)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 22)
- RE: key change for TCP-MD5 David Schwartz (Jun 22)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 20)
- Re: key change for TCP-MD5 Randy Bush (Jun 20)
- Re: key change for TCP-MD5 Iljitsch van Beijnum (Jun 20)
- Re: key change for TCP-MD5 Crist Clark (Jun 20)
- Re: key change for TCP-MD5 Richard A Steenbergen (Jun 20)
- Re: key change for TCP-MD5 Warren Kumari (Jun 20)
- Re: key change for TCP-MD5 Randy Bush (Jun 20)