nanog mailing list archives

Re: BGP over TLS

From: Joe Abley <jabley () hopcount ca>
Date: Mon, 21 Oct 2019 12:30:54 -0400

On 21 Oct 2019, at 12:05, Keith Medcalf <kmedcalf () dessus com> wrote:

On Monday, 21 October, 2019 09:44, Robert McKay <robert () mckay com> wrote:

The MD5 authentication is built into TCP options.. not obvious how you
would transport it over TLS which afaik doesn't offer similar
functionality.


AHA!  I understand now and sit corrected.  I was under the mistaken impression that MD5 authentication was an 
application level thing, not a TCP level thing.


Well, TLS exists within a TCP session, and that TCP session could incorporate the MD5 signature option. I guess.

Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality of deploying certificates to every BGP 
speaker that are useful for strict checking by neighbours, though. Perhaps I've been too long with my hands out of 
routers and things have moved on, but it seems to me that the history of certificate management in routers is not a 
rich tapestry of triumph.

Without strict checking in both directions, the threat model with TLS looks pretty similar to that with TCP-MD5 with 
not very secret secrets, which I gather is one of the deficiencies that the TLS proposal seeks to address.


Joe

Current thread:

Re: "Using Cloud Resources to Dramatically Improve Internet Routing", (continued)
- - - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Bjørn Mork (Oct 20)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Julien Goodwin (Oct 20)
    - Message not available
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Bjørn Mork (Oct 20)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Christopher Morrow (Oct 20)
    - BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Bjørn Mork (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Julien Goodwin (Oct 21)
    - RE: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Keith Medcalf (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Radu-Adrian Feurdean (Oct 21)
    - RE: BGP over TLS Robert McKay (Oct 21)
    - RE: BGP over TLS Keith Medcalf (Oct 21)
    - Re: BGP over TLS Joe Abley (Oct 21)
    - Re: BGP over TLS Tony Finch (Oct 21)
    - Re: BGP over TLS Jared Mauch (Oct 21)
    - Re: BGP over TLS Grant Taylor via NANOG (Oct 21)
    - Re: BGP over TLS Julien Goodwin (Oct 22)
    - Re: BGP over TLS Christopher Morrow (Oct 22)
    - RE: BGP over TLS Keith Medcalf (Oct 22)
    - Re: BGP over TLS Chris Adams (Oct 22)
    - Re: BGP over TLS Brandon Martin (Oct 22)
    - Re: BGP over TLS Jared Mauch (Oct 22)
    - RE: BGP over TLS Keith Medcalf (Oct 22)

(Thread continues...)