nanog mailing list archives

Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing")

From: Brielle <bruns () 2mbit com>
Date: Mon, 21 Oct 2019 13:42:13 -0600

On 10/21/2019 1:25 PM, Brandon Martin wrote:

Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and difficulty of configuration aside)?  It would also 
solve the TCP-RST injection issues that TCP-MD5 was intended to resolve.  You can use null encryption with ESP or even just AH if you want 
authentication without confidentiality, too.  Or are we all going to admit that ipsec is almost dead in that it's just too darned complex?  Just 
run BGP over TCP as normal and install a security policy that says it must use ipsec with appropriate (agreed-upon) authentication.  
"Just", right?

I've used BGP over IPSec before in my labs between EdgeRouter models fortesting purposes.

Other then making sure there is either a connected route or static route(if doing multihop) to the other side, its works. But like you said,interop issues and all may cause issues...

Speaking of issues, if you run StrongSwan for IPSec with BGP on the samerouter/system, make sure to disable charon's processing of routes oryou'll be burning major CPU cycles. See:


https://wiki.strongswan.org/issues/1196


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org

Current thread:

Re: BGP over TLS, (continued)
- - - Re: BGP over TLS Christopher Morrow (Oct 22)
    - RE: BGP over TLS Keith Medcalf (Oct 22)
    - Re: BGP over TLS Chris Adams (Oct 22)
    - Re: BGP over TLS Brandon Martin (Oct 22)
    - Re: BGP over TLS Jared Mauch (Oct 22)
    - RE: BGP over TLS Keith Medcalf (Oct 22)
    - Re: BGP over TLS Jared Mauch (Oct 22)
    - Re: BGP over TLS Bjørn Mork (Oct 22)
    - Re: BGP over TLS Christopher Morrow (Oct 22)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brielle (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jeffrey Haas (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Brandon Martin (Oct 21)
    - Re: BGP over TLS Bjørn Mork (Oct 21)
    - Re: BGP over TLS (was: Re: "Using Cloud Resources to Dramatically Improve Internet Routing") Jared Mauch (Oct 21)
    - RE: "Using Cloud Resources to Dramatically Improve Internet Routing" Keith Medcalf (Oct 20)
  - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Warren Kumari (Oct 11)
    - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Valdis Klētnieks (Oct 11)
  - Re: "Using Cloud Resources to Dramatically Improve Internet Routing" Radu-Adrian Feurdean (Oct 20)

(Thread continues...)