On Tue, Mar 11, 2008 at 06:20:40PM -0400, James Carlson wrote: > Nicolas Williams writes: > > > (Let's not get into why TCP MD5 is of limited use and applicability.) > > > > Hmmm, perhaps one might argue that providing APIs would encourage the > > use of TCP MD5 while we might want to do the opposite (i.e., discourage > > it). I'll think about this. > > The only use is for BGP session protection. You need it to be > compatible with Cisco and the rest of the BGP-speakers. > > And, no, there are no plans that I know of for SHA or better > algorithms. Nobody wants to revisit this, and I suspect we're all > just holding our breath waiting for IKEv2. ;-}
TCP-AO is a work-in-progress that intends to replace TCP-MD5. Currently it's controversial. In part because it makes the keying issues worse (you must have a new fresh manual key per-connection[!]). And TCP-AO apparently has an SPD-like concept. People hate it, and if it gets off the ground it'll probably be changed to be more... acceptable. > It would be silly to use it for anything else, and I'd certainly > support a warning label in the man page saying exactly that. See above. Nico -- _______________________________________________ networking-discuss mailing list [email protected]
