Re: [c-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

[Gert Doering via cisco-nsp]

Hi,

On Wed, Sep 27, 2023 at 08:48:44AM +0800, Barry Greene via cisco-nsp wrote:
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP 
> peering Sessions?

Not me.  Not sure if my vendors do support it (IOS XR and Arista EOS),
but I do not see significant benefit.

TBH, most of our (non-multihop) eBGP sessions do not even deploy MD5, as
the whole password management thing adds another source of operational
friction.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

[Barry Greene via cisco-nsp]

Hi Team,

Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering 
Sessions?

I’m not touching routers right now. I’m wondering if anyone has deployed, your 
experiences, and thoughts?

This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..

1. The Vendors are not supporting yet. Which means a lot of older systems would 
not be able to support a BGP session with TCP-AO.
2. People have to tried is operationally.

Sharing you thoughts would be helpful …...

Thanks,

Barry
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/