Christopher Morrow writes:
> isn't julien's idea more akin to DOT then DOH ?
Yes, and I really like Julien's proposal. It even looks pretty
complete. There are just a few details missing around how to make the
MD5 => TLS transition smooth.
Sorry for any confusion caused by an attempt to make
On 21/10/19 6:30 pm, Bjørn Mork wrote:
> Christopher Morrow writes:
>
>> isn't julien's idea more akin to DOT then DOH ?
>
> Yes, and I really like Julien's proposal. It even looks pretty
> complete. There are just a few details missing around how to make the
> MD5 => TLS transition
Someone has reached out; I’m good!
> On Oct 21, 2019, at 13:54, Bryan Holloway wrote:
>
> Anyone from Twitter lurking? Trying to resolve a peering issue and not
> getting far through published contacts.
>
> Thanks!
>- bryan
Anyone from Twitter lurking? Trying to resolve a peering issue and not
getting far through published contacts.
Thanks!
- bryan
On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>On 2019-10-21 16:30, Keith Medcalf wrote:
>> Why do you need to do anything? TLS is Transport Layer Security and
>> it's sole purpose is to protect communications from eavesdropping or
>> modification by wiretappers on/in the line
On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>
>> The MD5 authentication is built into TCP options.. not obvious how you
>> would transport it over TLS which afaik doesn't offer similar
>> functionality.
>
> AHA! I understand now and
Hello Javier,
Well, if we take a step back to goals, I would like first to point that
going Full MVNO might not be the best solution for us (roaming alone seems
like quite a hassle, not to mention handsets management).
My focus here is narrower, as I am mostly trying here to assert what the
We remembered her and her contribution to AfNOG earlier years during the
recent Africa Internet Summit months ago.
On Sun, 20 Oct 2019, 19:39 Randy Bush, wrote:
> abha ahuja died this day in 2001. we miss her.
>
> randy
>
> http://www.neebu.net/~khuon/abha/
>
>On 21/10/19 6:30 pm, Bjørn Mork wrote:
>> Yes, and I really like Julien's proposal. It even looks pretty
>> complete. There are just a few details missing around how to make the
>> MD5 => TLS transition smooth.
>At least for those systems that run on Linux (which is most all of the
>major's
On Mon, Oct 21, 2019, at 17:30, Keith Medcalf wrote:
> Why do you need to do anything? TLS is Transport Layer Security and
> it's sole purpose is to protect communications from eavesdropping or
> modification by wiretappers on/in the line between points A and B. MD5
> in BGP is used for
On 2019-10-21 16:30, Keith Medcalf wrote:
On 21/10/19 6:30 pm, Bjørn Mork wrote:
Yes, and I really like Julien's proposal. It even looks pretty
complete. There are just a few details missing around how to make
the
MD5 => TLS transition smooth.
At least for those systems that run on
This was one thing I highlighted to the people telling me how I secure my
network wrong. If it's HTTP and you lose a few clients maybe they don't care.
If it's BGP I have one client and I care a lot and that session dropping can be
gigs to tbps of traffic.
Sent from my iCar
> On Oct 21,
On 10/21/19 11:30 AM, Keith Medcalf wrote:
> Why cannot one just put the MD5 authenticated connection inside a TLS
> connection? What is the advantage to be gained by replacing the
> authentication mechanism with weaker certificate authentication method
> available with TLS?
Self-issued
> -Original Message-
> From: NANOG On Behalf Of Lukas Tribus
> Sent: Friday, October 18, 2019 9:45 PM
> To: Saku Ytti
> Cc: nanog@nanog.org
> Subject: Re: Request comment: list of IPs to block outbound
>
> Hello,
>
> On Fri, Oct 18, 2019 at 7:40 PM Saku Ytti wrote:
> > It's
On 10/21/19 3:37 PM, Jeffrey Haas wrote:
> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
> keys.
Is anybody actually doing it in practice? Every transit and peering document
I've ever seen just talks about TCP-MD5 (if it talks about authentication at
all).
>
> On Oct 21, 2019, at 4:17 PM, Brandon Martin wrote:
>
> On 10/21/19 3:37 PM, Jeffrey Haas wrote:
>> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
>> keys.
>
> Is anybody actually doing it in practice?
Absolutely. In the SP sector? Less clear.
>> The ugly
On 10/21/2019 1:25 PM, Brandon Martin wrote:
Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and
difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5
was intended to resolve. You can use null encryption with ESP or even
> On Oct 21, 2019, at 3:25 PM, Brandon Martin wrote:
>
> On 10/21/19 11:30 AM, Keith Medcalf wrote:
>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection? What is the advantage to be gained by replacing the
>> authentication mechanism with weaker
Jeffrey Haas writes:
> Exactly how the cert lifetime interacts with peering sessions is
> likely to be several flavors of ugly.
If you pin the key, then there is no reason to care about expiration.
You could define the certificate as valid for as long as the pinned key
matches. This is
> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
>
> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
>
>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>>
>>> The MD5 authentication is built into TCP options.. not obvious how you
>>> would transport it over TLS which afaik doesn't
Joe Abley wrote:
>
> Well, TLS exists within a TCP session, and that TCP session could
> incorporate the MD5 signature option. I guess.
AIUI this might be useful to make it a bit harder to kill the TCP session,
tho I think modern TCPs are less vulnerable to off-path RST injection
than TCPs were
> No, Mehmet's public IP was _not_ from the RFC 1918 172.16.0.0/16
range.
I was guessing the same thing. It wouldn't matter even behind NAT if you
are using RFC 1918 unless you are building a tunnel into the VPC since in
the AWS VPC, you are behind a NAT / Internet Gateway for anything to reach
The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.
While I do not represent the Cisco view, personally I like the idea of BGP over
TLS.
Regards,
Jakob.
-Original Message-
Date: Mon, 21 Oct 2019 19:21:03 +1100
From: Julien Goodwin
On 10/21/19 4:41 PM, Jeffrey Haas wrote:
I'm not someone qualified, but I'll regurgitate what I've distilled from past
conversations with those who are.:-)
Presuming your key is strong enough, it may be infeasible to break it in a time
that's of interest to the parties involved. The primary
On 10/21/19 11:04 AM, Jared Mauch wrote:
I’ve seen enough people have issues with managing a password that
certificates would be even harder when there’s a router swap.
I think that's an unfortunate state of affair. I don't know how to get
around the PEBKAC problem.
The issue isn’t that
25 matches
Mail list logo
