Nicolas Williams writes: > TCP-AO is a work-in-progress that intends to replace TCP-MD5. > > Currently it's controversial. In part because it makes the keying > issues worse (you must have a new fresh manual key per-connection[!]).
That's Joe Touch's (and Juniper's?) document. I don't really think it'll go anywhere unless Cisco starts talking about implementing, and that hasn't happened as far as I know. (I don't think this is the first attempt to replace TCP-MD5, though it does seem to be the most elaborate. ;-}) > > It would be silly to use it for anything else, and I'd certainly > > support a warning label in the man page saying exactly that. > > See above. Even if tcpm-tcp-auth-opt gets deployed, I'd expect that it's really just a "special" for BGP and related routing protocols that use TCP (such as LDP and perhaps the new transport options for RSVP and PIM), and not a general-purpose connection protection mechanism. The keying issues put it out of reach of the usual applications. You need a small group of manually keyed systems. It's "high maintenance." So, a warning label would still be needed. -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
