On Mon, 19 Jun 2006 15:40:50 +0200, Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
> On 19-jun-2006, at 14:32, Steven M. Bellovin wrote: > > > I just submitted an I-D on TCP-MD5 key change. Until it shows up > > in the > > official repository, see > > http://www.cs.columbia.edu/~smb/papers/draft-bellovin- > > keyroll2385-00.txt > > Here's the abstract: > > > The TCP-MD5 option is most commonly used to secure > > BGP sessions between routers. However, changing > > the long-term key is difficult, since the change > > needs to be synchronized between different > > organizations. > > We describe single-ended strategies that will permit > > (mostly) unsynchronized key changes. > > > Comments welcome. > > I wonder how long that policy will hold. (-: > I'm not certain what you mean by that, but since it sounds insulting to someone I'll ignore it. > > First of all, I applaud this effort. > > There doesn't really seem to be a way to introduce a new key other > than to just to agree on a time. I'm not sure this is good enough. > > Wouldn't it be better to exchange some kind of "time to change keys" > message? This could simply be a new type of BGP message that hold a > key ID. Obviously the capability to send and receive these messages > must be negotiated when the session is created, but still, I think > the extra complexity is worth it because it allows for much more > robust operation. There are lots of good solutions if you're willing to change or introduce protocols. That takes a lot longer, both procedurally and technically. This scheme is simple and single-ended, and can be implemented without co-ordination. We should indeed try for a better solution. Until then, I'm suggesting this -- I'm aiming at Informational -- to tide us over. The need for some such solution was quite clear during Bonica's talk in San Jose. > > And is NANOG now officially an IETF working group...? > First, this is draft-bellovin-..., not draft-ietf-..., i.e., an individual submission rather than part of a working group. Second, I'm no longer Security AD. Third, even if this were an official IETF effort by the Security AD, it would be rather stupid not to ask the opinion of the people most directly affected by it. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
