On (2013-07-21 07:31 +0200), Mark Tinka wrote: > I'd normally use different MD5 passwords for different BGP > sessions, even though they are with to the same remote > network.
For eBGP this is manageable, as there must already be system for per-eBGP session configuration. For iBGP it's very inconvenient, as typically system is missing, as iBGP config just appears from base templates or RR might be using allow/listen stanza and not require any configuration at all. I'd really hope vendors would implement TCP-AO RFC, it would fix this problem right up, as actual configured password is used just as 'random' data for KDF, which produces the real password used on the wire. And KDF uses SIP, DIP, SPORT, DPORT and initial sequence numbers for entropy, so someone who tries to recover the password, only has lifetime of that single TCP session, if the TCP session is reset, it's new password. It's baffling how naive MD5 RFC is. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
