> From: Christopher Morrow
> Sent: Friday, October 25, 2019 7:08 AM
>
> > > > So move from bilateral peering over common IX-LAN to direct
> > > > peering Or if a direct link is still not to be trusted do MACSEC.
> > > > Then it's all about you and the peer -if he/she screws you over de-peer.
> >
On Thu, Oct 24, 2019 at 9:33 AM wrote:
>
> > From: Christopher Morrow
> > Sent: Wednesday, October 23, 2019 6:53 PM
> > Subject: Re: BGP over TLS
> >
> > On Wed, Oct 23, 2019 at 10:43 AM wrote:
> > >
> > > > Sent: Tuesday, October 22, 2019
> From: Christopher Morrow
> Sent: Wednesday, October 23, 2019 6:53 PM
> Subject: Re: BGP over TLS
>
> On Wed, Oct 23, 2019 at 10:43 AM wrote:
> >
> > > Sent: Tuesday, October 22, 2019 8:26 PM
> > > To: Keith Medcalf
> > >
> > > N
> there ARE problems with tcp-md5... some are "because we collectively
> didnt' squeak enough to get key-tables"
i believe many vendors implement key scheduling. no one uses it, and i
do not suggest they do.
randy
On Wed, Oct 23, 2019 at 11:18 AM Alain Hebert wrote:
>
> I do not have much to contribute but this.
>
> We already have ( choose your poison(s) )
>
> Dark Fiber + MACsec + BCP38 + ACL + MD5 + MPLS + IRRD + GRE + IPsec +
> yadi yada
much of this isn't solving the problem though, a
On Wed, Oct 23, 2019 at 10:43 AM wrote:
>
> > Sent: Tuesday, October 22, 2019 8:26 PM
> > To: Keith Medcalf
> >
> > No,
> >
> >
> > > On Oct 22, 2019, at 2:08 PM, Keith Medcalf
> > wrote:
> > >
> > > At this point further communications are encrypted and secure against
> > eavesdropping.
> >
> >
I do not have much to contribute but this.
We already have ( choose your poison(s) )
Dark Fiber + MACsec + BCP38 + ACL + MD5 + MPLS + IRRD + GRE +
IPsec + yadi yada
PS: Yup, I have SRX300s doing BGP over NNI -and- a GRE + IPsec
on LTE as a backup.
What is the re
> Sent: Tuesday, October 22, 2019 8:26 PM
> To: Keith Medcalf
>
> No,
>
>
> > On Oct 22, 2019, at 2:08 PM, Keith Medcalf
> wrote:
> >
> > At this point further communications are encrypted and secure against
> eavesdropping.
>
> The problem isn't the protocol being eavesdropped on. The data i
> On Oct 22, 2019, at 6:31 PM, Keith Medcalf wrote:
>
> I see. It is an AIC problem, not a CIA problem. TLS in its default
> usage is a CIA thing because, well, it was designed to solve CIA
> problems where even temporary secrecy is more important than being down
> for a week. As had been p
On Tuesday, 22 October, 2019 13:26, Jared Mauch
wrote:
>No,
>> On Oct 22, 2019, at 2:08 PM, Keith Medcalf
wrote:
>> At this point further communications are encrypted and secure against
>>eavesdropping.
>The problem isn't the protocol being eavesdropped on. The data is
already
>published pu
No,
> On Oct 22, 2019, at 2:08 PM, Keith Medcalf wrote:
>
> At this point further communications are encrypted and secure against
> eavesdropping.
The problem isn't the protocol being eavesdropped on. The data is already
published publicly by many people.
The problem is one of mutual authe
On Tue, Oct 22, 2019 at 2:21 PM Bjørn Mork wrote:
>
> Christopher Morrow writes:
>
> > The x.509 system, to be effective here would require a TrustAnchor /
> > Root-of-Trust that both parties agreed was acceptable...
>
> As in a shared TrustAnchor? No. Both ends could use a simple self
as an o
On 10/22/2019 14:07, Keith Medcalf wrote:
That is incorrect.
I believe that an endpoint (lets call it Alice) can connect to another endpoint (lets call it Bob) and Alice can say to Bob,
"Hello Dude, lets negotiate a secret key between us". "Yokkely dokelly", says Bob, "Lets do that".
They th
Christopher Morrow writes:
> The x.509 system, to be effective here would require a TrustAnchor /
> Root-of-Trust that both parties agreed was acceptable...
As in a shared TrustAnchor? No. Both ends could use a simple self
signed certificate and be configured to trust the other. A hash of the
Once upon a time, Keith Medcalf said:
> I believe that an endpoint (lets call it Alice) can connect to another
> endpoint (lets call it Bob) and Alice can say to Bob, "Hello Dude, lets
> negotiate a secret key between us". "Yokkely dokelly", says Bob, "Lets do
> that". They then exchange some
>TLS in the traditional sense 'requires' that there be an X.509
>certificate to use in authenticating (and to some extent authorizing -
>can you be a CA? sign email? etc...) endpoints, ideally you do 'tls
>mutual authentication'...
That is incorrect.
I believe that an endpoint (lets call it Alice
On Tue, Oct 22, 2019 at 6:35 AM Julien Goodwin wrote:
>
>
>
> On 22/10/19 4:04 am, Jared Mauch wrote:
> >
> >
> >> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
> >>
> >> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
> >>
> >>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
> >>>
> >>
On 22/10/19 5:42 am, Jakob Heitz (jheitz) via NANOG wrote:
> The article linked says no mainstream BGP implementation supports TCP-AO.
> IOS-XE and IOS-XR support it.
>
> While I do not represent the Cisco view, personally I like the idea of BGP
> over TLS.
Excellent, that's news to me.
I had b
On 22/10/19 4:04 am, Jared Mauch wrote:
>
>
>> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
>>
>> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
>>
>>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>>>
The MD5 authentication is built into TCP options.. not obvious how you
>>
On 10/21/19 11:04 AM, Jared Mauch wrote:
I’ve seen enough people have issues with managing a password that
certificates would be even harder when there’s a router swap.
I think that's an unfortunate state of affair. I don't know how to get
around the PEBKAC problem.
The issue isn’t that mos
On 10/21/19 4:41 PM, Jeffrey Haas wrote:
I'm not someone qualified, but I'll regurgitate what I've distilled from past
conversations with those who are.:-)
Presuming your key is strong enough, it may be infeasible to break it in a time
that's of interest to the parties involved. The primary i
> On Oct 21, 2019, at 4:17 PM, Brandon Martin wrote:
>
> On 10/21/19 3:37 PM, Jeffrey Haas wrote:
>> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
>> keys.
>
> Is anybody actually doing it in practice?
Absolutely. In the SP sector? Less clear.
>> The ugly is
This was one thing I highlighted to the people telling me how I secure my
network wrong. If it's HTTP and you lose a few clients maybe they don't care.
If it's BGP I have one client and I care a lot and that session dropping can be
gigs to tbps of traffic.
Sent from my iCar
> On Oct 21, 2019,
Jeffrey Haas writes:
> Exactly how the cert lifetime interacts with peering sessions is
> likely to be several flavors of ugly.
If you pin the key, then there is no reason to care about expiration.
You could define the certificate as valid for as long as the pinned key
matches. This is simila
> On Oct 21, 2019, at 3:25 PM, Brandon Martin wrote:
>
> On 10/21/19 11:30 AM, Keith Medcalf wrote:
>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection? What is the advantage to be gained by replacing the
>> authentication mechanism with weaker certificate
On 10/21/19 3:37 PM, Jeffrey Haas wrote:
> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
> keys.
Is anybody actually doing it in practice? Every transit and peering document
I've ever seen just talks about TCP-MD5 (if it talks about authentication at
all).
> The
On 10/21/2019 1:25 PM, Brandon Martin wrote:
Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and
difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5
was intended to resolve. You can use null encryption with ESP or even
On 10/21/19 11:30 AM, Keith Medcalf wrote:
> Why cannot one just put the MD5 authenticated connection inside a TLS
> connection? What is the advantage to be gained by replacing the
> authentication mechanism with weaker certificate authentication method
> available with TLS?
Self-issued certif
The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.
While I do not represent the Cisco view, personally I like the idea of BGP over
TLS.
Regards,
Jakob.
-Original Message-
Date: Mon, 21 Oct 2019 19:21:03 +1100
From: Julien Goodwin
> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
>
> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
>
>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>>
>>> The MD5 authentication is built into TCP options.. not obvious how you
>>> would transport it over TLS which afaik doesn't
Joe Abley wrote:
>
> Well, TLS exists within a TCP session, and that TCP session could
> incorporate the MD5 signature option. I guess.
AIUI this might be useful to make it a bit harder to kill the TCP session,
tho I think modern TCPs are less vulnerable to off-path RST injection
than TCPs were w
On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>
>> The MD5 authentication is built into TCP options.. not obvious how you
>> would transport it over TLS which afaik doesn't offer similar
>> functionality.
>
> AHA! I understand now and
On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>On 2019-10-21 16:30, Keith Medcalf wrote:
>> Why do you need to do anything? TLS is Transport Layer Security and
>> it's sole purpose is to protect communications from eavesdropping or
>> modification by wiretappers on/in the line betwee
On 2019-10-21 16:30, Keith Medcalf wrote:
On 21/10/19 6:30 pm, Bjørn Mork wrote:
Yes, and I really like Julien's proposal. It even looks pretty
complete. There are just a few details missing around how to make
the
MD5 => TLS transition smooth.
At least for those systems that run on Linu
On Mon, Oct 21, 2019, at 17:30, Keith Medcalf wrote:
> Why do you need to do anything? TLS is Transport Layer Security and
> it's sole purpose is to protect communications from eavesdropping or
> modification by wiretappers on/in the line between points A and B. MD5
> in BGP is used for authe
>On 21/10/19 6:30 pm, Bjørn Mork wrote:
>> Yes, and I really like Julien's proposal. It even looks pretty
>> complete. There are just a few details missing around how to make the
>> MD5 => TLS transition smooth.
>At least for those systems that run on Linux (which is most all of the
>major's
On 21/10/19 6:30 pm, Bjørn Mork wrote:
> Christopher Morrow writes:
>
>> isn't julien's idea more akin to DOT then DOH ?
>
> Yes, and I really like Julien's proposal. It even looks pretty
> complete. There are just a few details missing around how to make the
> MD5 => TLS transition smooth.
37 matches
Mail list logo
