netsec-sig - Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To:
- Subject: Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft
- Date: Thu, 30 Mar 2017 14:47:53 -0500
- Ironport-phdr: 9a23:Ig72WhDllIvQgPkM1V9kUyQJP3N1i/DPJgcQr6AfoPdwSPv5psbcNUDSrc9gkEXOFd2CrakV1qyG4uu5Aj1IyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbN/IA+1oAjVucUanIVvJ6IswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKMSMy/mPKhcxqlK9UohyhqRxxzYDXfY+bKuZxc7jHct8GX2dMRNpdWzBDD466coABD/ABPeFdr4TlqVUBtwW+BQixC+jyyjFHnGX23agk3OQ7DArL2wIgEMgUsHTRstr1LrwfUf2wzKnO1znMce5Z2Srk5YXObxsvoumMUKptfcffxkQjDQDIg1qKpYD4Oz6Y1/4Bv3aH4+djTe6jlXIrpgVrrjWsxsogkJfFip8bx1ze9yh13YA4LsCiRkFhe96rCp5QujmaN4RoRsMiRHlluCMmyrIcoJK7ZCsHxI4gxx7ed/yLaZWI4hflVOqLPzh3mW9ldKq+hxa070eg1vXxWtS63VtFtCZIkdbBumoQ2xHX68WLUOVx8lui1DqX0gDc8OBEIUQ6larBLJ4hx6Y9lpQJvkTZGy/5hl/2gbSLdkUh/Oik8frobaj7ppOELY97lhn+Mrgymsy4Gek4KRYBUHSG+eSm1b3j4U34TKxEj/05iaTZtJHaJd8Hpq6iHQNZyIcj6xCjDzi4ytQYm2cILE5bdB6dkYfmJkzOc7jECqKkjl+xijZ31rXZMZXgBInANH7OjO2ncLpguGBGzw9m4dlB5p4cJLgbJf/pEhv/vcbdAwURLgmyhevrFYMuhcslRWuTD/rBY+vpuliS67d3Lg==
On Thu, Mar 30, 2017 at 1:43 PM, Michael H Lambert <> wrote:
> On 30 Mar 2017, at 12:14, gcbrowni <> wrote:
>
> Many people within the community use MD5 authentication and have had little to no trouble, with others reporting concerns. Sites will need to weigh the pros and cons carefully before making a decision.
I think this sums things up very succinctly. Credential management aside, there is the question of no authentication vs MD5 vs TCP-AO and what is supported by a site's (and a site's peers') BGP speakers (be they vendor iron or open source). In many cases this decision will be driven by the lowest common denominator of features or by economics rather than by technical considerations or risk mitigation.
Michael
BGP TTL Security (RFC 7454, section 5.2) and GTSM (RFC5082) should at least be mentioned as another possible way to protect BGP sessions especially if authentication is not used.
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
==============================
- [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, gcbrowni, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, Steven Wallace, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, Andrew Gallo, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, Andrew Gallo, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, Michael H Lambert, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, David Farmer, 03/30/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, gcbrowni, 03/31/2017
- Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft, David Farmer, 03/30/2017
Archive powered by MHonArc 2.6.19.