On 10/21/19 4:41 PM, Jeffrey Haas wrote:
I'm not someone qualified, but I'll regurgitate what I've distilled from past
conversations with those who are.:-)
Presuming your key is strong enough, it may be infeasible to break it in a time
that's of interest to the parties involved. The primary
> On Oct 21, 2019, at 4:17 PM, Brandon Martin wrote:
>
> On 10/21/19 3:37 PM, Jeffrey Haas wrote:
>> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
>> keys.
>
> Is anybody actually doing it in practice?
Absolutely. In the SP sector? Less clear.
>> The ugly
This was one thing I highlighted to the people telling me how I secure my
network wrong. If it's HTTP and you lose a few clients maybe they don't care.
If it's BGP I have one client and I care a lot and that session dropping can be
gigs to tbps of traffic.
Sent from my iCar
> On Oct 21,
> On Oct 21, 2019, at 3:25 PM, Brandon Martin wrote:
>
> On 10/21/19 11:30 AM, Keith Medcalf wrote:
>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection? What is the advantage to be gained by replacing the
>> authentication mechanism with weaker
On 10/21/19 3:37 PM, Jeffrey Haas wrote:
> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
> keys.
Is anybody actually doing it in practice? Every transit and peering document
I've ever seen just talks about TCP-MD5 (if it talks about authentication at
all).
>
On 10/21/2019 1:25 PM, Brandon Martin wrote:
Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and
difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5
was intended to resolve. You can use null encryption with ESP or even
On 10/21/19 11:30 AM, Keith Medcalf wrote:
> Why cannot one just put the MD5 authenticated connection inside a TLS
> connection? What is the advantage to be gained by replacing the
> authentication mechanism with weaker certificate authentication method
> available with TLS?
Self-issued
On Mon, Oct 21, 2019, at 17:30, Keith Medcalf wrote:
> Why do you need to do anything? TLS is Transport Layer Security and
> it's sole purpose is to protect communications from eavesdropping or
> modification by wiretappers on/in the line between points A and B. MD5
> in BGP is used for
>On 21/10/19 6:30 pm, Bjørn Mork wrote:
>> Yes, and I really like Julien's proposal. It even looks pretty
>> complete. There are just a few details missing around how to make the
>> MD5 => TLS transition smooth.
>At least for those systems that run on Linux (which is most all of the
>major's
On 21/10/19 6:30 pm, Bjørn Mork wrote:
> Christopher Morrow writes:
>
>> isn't julien's idea more akin to DOT then DOH ?
>
> Yes, and I really like Julien's proposal. It even looks pretty
> complete. There are just a few details missing around how to make the
> MD5 => TLS transition
10 matches
Mail list logo