subject:"\[j\-nsp\] Q. Is anyone deploying TCP Authentication Option $TCP\-AO$ on their BGP peering Sessions\?"

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-27 Thread Andrew Gallo via juniper-nsp


I only know of one production eBGP deployment (prove me wrong!)

https://labs.ripe.net/author/andrew-gallo/production-deployment-of-tcp-authentication-option/

Happens to be between two routers that I control (but it's still eBGP)

I'd love to hear about more deployments

There is a github repo with some interop results and config examples

https://github.com/TCP-AO/

Please share your experiences


On 9/27/2023 10:56 AM, Michael Hare via juniper-nsp wrote:

FWIW, I deployed it for iBGP on MX gear in 20.4 with no concerns for an ASN I 
manage.  No issues in our lab with a mix of 20.4, 21.2 and 22.4, all classic 
JunOS.  I haven't tried it any other scenario.

-Michael


-Original Message-
From: juniper-nsp  On Behalf Of Barry
Greene via juniper-nsp
Sent: Tuesday, September 26, 2023 7:50 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on
their BGP peering Sessions?

Hi Team,

Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
peering Sessions?

I’m not touching routers right now. I’m wondering if anyone has deployed,
your experiences, and thoughts?

This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..

1. The Vendors are not supporting yet. Which means a lot of older systems
would not be able to support a BGP session with TCP-AO.
2. People have to tried is operationally.

Sharing you thoughts would be helpful …...

Thanks,

Barry
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


OpenPGP_signature
Description: OpenPGP digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-27 Thread Michael Hare via juniper-nsp

FWIW, I deployed it for iBGP on MX gear in 20.4 with no concerns for an ASN I 
manage.  No issues in our lab with a mix of 20.4, 21.2 and 22.4, all classic 
JunOS.  I haven't tried it any other scenario.

-Michael

> -Original Message-
> From: juniper-nsp  On Behalf Of Barry
> Greene via juniper-nsp
> Sent: Tuesday, September 26, 2023 7:50 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on
> their BGP peering Sessions?
> 
> Hi Team,
> 
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
> peering Sessions?
> 
> I’m not touching routers right now. I’m wondering if anyone has deployed,
> your experiences, and thoughts?
> 
> This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..
> 
> 1. The Vendors are not supporting yet. Which means a lot of older systems
> would not be able to support a BGP session with TCP-AO.
> 2. People have to tried is operationally.
> 
> Sharing you thoughts would be helpful …...
> 
> Thanks,
> 
> Barry
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-27 Thread Jeff Haas via juniper-nsp

[Warning: vendor anecdata follows]

In bgp-land where we're a primary motivator, but only a client of tcp-ao, we've
seen a few minor bugs from the field primarily dealing with keychain
configuration or rollover issues in the last few years. Basically enough
activity to suggest people are minimally playing with it, to possibly deploying
it. The folk in JTAC would be able to tell us more by mining configs, but for
good reasons they don't want us poking through customer configs too
arbitrarily. In terms of my experience for "bug activity as a proxy for
deployment", I'd guess we're still moving in early stages, but it's happening.

The fact that tcp-ao support in linux is becoming more pervasive will likely
help us close some gaps and likely provide better support for vendors that use
that as their underlying OS.

One note to keep in mind in terms of roll-out is implementations with NSR
support have to do rather unpleasant things to TCP stacks in order to implement
an already tricky feature. This is one of the reasons why deployment across
vendors is slow.

-- Jeff

On 9/27/23, 1:35 AM, "juniper-nsp on behalf of Saku Ytti via juniper-nsp"
mailto:juniper-nsp-boun...@puck.nether.net> on behalf of
juniper-nsp@puck.nether.net > wrote:

[External Email. Be cautious of content]

Juniper Business Use Only
On Wed, 27 Sept 2023 at 03:50, Barry Greene via juniper-nsp
mailto:juniper-nsp@puck.nether.net>> wrote:

> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
> peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed,
> your experiences, and thoughts?

For the longest time (like close to decade) no one supported it at
all, not even Juniper, because Juniper implementation was pre-RFC
which was incompatible with RFC.

To my understanding today there is support in Junos, IOS-XE, IOS-XR,
SROS, EOS and VRP. I have no operational experience to share.

--
++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net

https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!D7sD_mpaj-TIBufn4Z23joLPE5sAOkFNYOp61NWZUc66Runi5hGMtg5vhM1F-mCgYZyo2cZQFupyvEgQgWODqps$

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-26 Thread Saku Ytti via juniper-nsp

On Wed, 27 Sept 2023 at 03:50, Barry Greene via juniper-nsp
 wrote:

> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP 
> peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed, 
> your experiences, and thoughts?

For the longest time (like close to decade) no one supported it at
all, not even Juniper, because Juniper implementation was pre-RFC
which was incompatible with RFC.

To my understanding today there is support in Junos, IOS-XE, IOS-XR,
SROS, EOS and VRP. I have no operational experience to share.

--
  ++ytti
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-26 Thread Chris Kawchuk via juniper-nsp

FWIW -- We've asked for that feature now in any RFP/RFQs we send to the usual 
gang of $vendors.

Thats our method to get adoption, else they get a black-mark/non-comply in the 
[BGP section] when it comes time to score the responses.

- CK.



> On 27 Sep 2023, at 10:49, Barry Greene via juniper-nsp 
>  wrote:
> 
> Hi Team,
> 
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP 
> peering Sessions?
> 
> I’m not touching routers right now. I’m wondering if anyone has deployed, 
> your experiences, and thoughts?
> 
> This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..
> 
> 1. The Vendors are not supporting yet. Which means a lot of older systems 
> would not be able to support a BGP session with TCP-AO.
> 2. People have to tried is operationally.
> 
> Sharing you thoughts would be helpful …...
> 
> Thanks,
> 
> Barry
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

2023-09-26 Thread Barry Greene via juniper-nsp

Hi Team,

Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering 
Sessions?

I’m not touching routers right now. I’m wondering if anyone has deployed, your 
experiences, and thoughts?

This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..

1. The Vendors are not supporting yet. Which means a lot of older systems would 
not be able to support a BGP session with TCP-AO.
2. People have to tried is operationally.

Sharing you thoughts would be helpful …...

Thanks,

Barry
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

Re: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

[j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

6 matches

Site Navigation

Mail list logo

Footer information