>> something such as, or close to, rfc 4808? > > It provides some capability, but for example if I have a large iBGP > mesh and need to change methods of securing it and have automation > involved, it can often be a one-shot change unless I can zone some > routers to different versions of templating to have a smooth > transition. Basically the negative side of using peer-groups can be > quite catastrophic with how you transition from the router software > without good update packing/replication to one with a good system. It > doesn’t need the groups to optimize the leadership replication, but > you still use them to minimize configuration duplication. > > I’m not sure if in 2018 which is the right path from an automation > perspective, if you can have software specify and iterate everything, > do you continue to use apply-groups, or just rely upon the automation > to output the full configuration? > > Most systems (including the ones at present and past employers) tend > to be a variation on template driven in some language(s) where the > original problem/engineer creep doesn’t account for the proper > abstract models to allow zoned changes/rollover of subsets of the > network. Ie: rolling the key is an all-or-nothing operation. > > Similar to JTK most of the log messages we see are from people who > forgot the MD5 key, or at an IX where we did poor relationship > management so the IP is now reused by others and nobody cleaned up the > older session(s). > > I have heard (but not personally seen) of well formed TCP session > attacks where md5 may have helped, but since the punt path tends to be > the weak link and most folks don’t do GTSH/GTSM (or worse, have > hardware that can’t filter based on this) you still incur the > expensive punt operation only to have the RP/RE kernel then drop the > packet. > > IOS-XR also has very good/robust defaults with LPTS which helps > significantly. I’ve seen quite large attacks against a router be > mitigated by LPTS and not require the mpp/control plane filters to be > involved. > > Basically, once you roll md5 you may be at risk for having rolled it > to need a way to undo and that pathway may not be easy, with or > without automation.
one or both of us needs to reread 4808 randy
