Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft


Chronological Thread 
  • From: gcbrowni <>
  • To:
  • Subject: Re: [Security-WG] I2 - MD5/TCP-AO Discussion Paper, draft
  • Date: Fri, 31 Mar 2017 10:10:37 -0400
  • Ironport-phdr: 9a23:ptlSUB1Hia5Tpp2zsmDT+DRfVm0co7zxezQtwd8Zse0RL/ad9pjvdHbS+e9qxAeQG96KtrQV0qGJ6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhDexe7d/IAi5oQjTqsUdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LptRRT1iikIKiQ5/XnXhMNsg61VvRyvpxJhzYHWY4+bM+FzfqzBcdMfX2dBXtpdWi5HD4ihb4UPFe0BPeNAoonyu1QBtgG+BQ6iBePpyz9Dm3j73aIm3Os6CwHG2wIhH9QPsHnPo9X1MKASXvuvw6nMyzXDaO9Z1S386IjVaBwuv+yDXa9pfMfX1EIhFBvFg02NpYHqOz6ZzPkBvmmb4uZ6SO6ihWEqpxtwrzWr3sshi4bEipgIxl3K+ih12ps5KNymREJhf9KoDpVduieHPIVsWMwiWXtnuCMix70Gp5G7eC8KxYwixxHFavyHd5WE7gvlVOmPLzZ0nn1leKi5hxa17Ues0Oz8VtSu3FlUsyVFj8HAtnEL1xPN9siKUuZx80il1DqVygze6+FJLVopmafVJJMt2L89m54LvUTGBCD2mUH2jKGMdkUj/+il8+vnban9qZ+GMI91hAf+MqU1l8ywBeQ4NRMBUHKf+eS6073s4Vf1QLRXjvEsjKbWrY3aKdwBpqGlGw9Vzpoj6xGnAje9ztsXgWQHLEhEeBKbj4nlIl/PIP/jAPe7glSsiytrx+vYMrH7A5XNKGTDn6n7fbZ79UFc1BQ/wcpB6J1JF7FSaM70D1T8v8HCDwModhO76+fhFNhn0I4CAySCDrLKHrnVtAqH7eg1JPaKZcdBtz33Mf864f/Ggns+k1YZe66im5oKLn20A6I1cA2ifXPwj4JZQi8xtQ0kQbmyhQ==
These are all great comments! I’ll integrate them in to the text.

I appreciate the feedback

-G



On Mar 30, 2017, at 3:47 PM, David Farmer <> wrote:



On Thu, Mar 30, 2017 at 1:43 PM, Michael H Lambert <> wrote:
> On 30 Mar 2017, at 12:14, gcbrowni <> wrote:
>
> Many people within the community use MD5 authentication and have had little to no trouble, with others reporting concerns. Sites will need to weigh the pros and cons carefully before making a decision.

I think this sums things up very succinctly.  Credential management aside, there is the question of no authentication vs MD5 vs TCP-AO and what is supported by a site's (and a site's peers') BGP speakers (be they vendor iron or open source).  In many cases this decision will be driven by the lowest common denominator of features or by economics rather than by technical considerations or risk mitigation.

Michael


BGP TTL Security (RFC 7454, section 5.2) and GTSM (RFC5082) should at least be mentioned as another possible way to protect BGP sessions especially if authentication is not used.   

--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page