On 2019-10-21 16:30, Keith Medcalf wrote:
On 21/10/19 6:30 pm, Bjørn Mork wrote:
Yes, and I really like Julien's proposal. It even looks pretty
complete. There are just a few details missing around how to make
the
MD5 => TLS transition smooth.
At least for those systems that run on Linu
On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>On 2019-10-21 16:30, Keith Medcalf wrote:
>> Why do you need to do anything? TLS is Transport Layer Security and
>> it's sole purpose is to protect communications from eavesdropping or
>> modification by wiretappers on/in the line betwee
On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>
>> The MD5 authentication is built into TCP options.. not obvious how you
>> would transport it over TLS which afaik doesn't offer similar
>> functionality.
>
> AHA! I understand now and
Joe Abley wrote:
>
> Well, TLS exists within a TCP session, and that TCP session could
> incorporate the MD5 signature option. I guess.
AIUI this might be useful to make it a bit harder to kill the TCP session,
tho I think modern TCPs are less vulnerable to off-path RST injection
than TCPs were w
> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
>
> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
>
>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>>
>>> The MD5 authentication is built into TCP options.. not obvious how you
>>> would transport it over TLS which afaik doesn't
The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.
While I do not represent the Cisco view, personally I like the idea of BGP over
TLS.
Regards,
Jakob.
-Original Message-
Date: Mon, 21 Oct 2019 19:21:03 +1100
From: Julien Goodwin
Jeffrey Haas writes:
> Exactly how the cert lifetime interacts with peering sessions is
> likely to be several flavors of ugly.
If you pin the key, then there is no reason to care about expiration.
You could define the certificate as valid for as long as the pinned key
matches. This is simila
On 10/21/19 11:04 AM, Jared Mauch wrote:
I’ve seen enough people have issues with managing a password that
certificates would be even harder when there’s a router swap.
I think that's an unfortunate state of affair. I don't know how to get
around the PEBKAC problem.
The issue isn’t that mos
On 22/10/19 4:04 am, Jared Mauch wrote:
>
>
>> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
>>
>> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
>>
>>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
>>>
The MD5 authentication is built into TCP options.. not obvious how you
>>
On 22/10/19 5:42 am, Jakob Heitz (jheitz) via NANOG wrote:
> The article linked says no mainstream BGP implementation supports TCP-AO.
> IOS-XE and IOS-XR support it.
>
> While I do not represent the Cisco view, personally I like the idea of BGP
> over TLS.
Excellent, that'
On Tue, Oct 22, 2019 at 6:35 AM Julien Goodwin wrote:
>
>
>
> On 22/10/19 4:04 am, Jared Mauch wrote:
> >
> >
> >> On Oct 21, 2019, at 12:30 PM, Joe Abley wrote:
> >>
> >> On 21 Oct 2019, at 12:05, Keith Medcalf wrote:
> >>
> >>> On Monday, 21 October, 2019 09:44, Robert McKay wrote:
> >>>
> >>
>TLS in the traditional sense 'requires' that there be an X.509
>certificate to use in authenticating (and to some extent authorizing -
>can you be a CA? sign email? etc...) endpoints, ideally you do 'tls
>mutual authentication'...
That is incorrect.
I believe that an endpoint (lets call it Alice
. Chuck could have answered
Alice's call, turned around and called Bob, connected the two, and be
listening in (and potentially even modifying communications between
Alice and Bob).
This is why encryption without some type of endpoint authentication is
not secure.
I could see BGP over TLS requi
Christopher Morrow writes:
> The x.509 system, to be effective here would require a TrustAnchor /
> Root-of-Trust that both parties agreed was acceptable...
As in a shared TrustAnchor? No. Both ends could use a simple self
signed certificate and be configured to trust the other. A hash of the
On 10/22/2019 14:07, Keith Medcalf wrote:
That is incorrect.
I believe that an endpoint (lets call it Alice) can connect to another endpoint (lets call it Bob) and Alice can say to Bob,
"Hello Dude, lets negotiate a secret key between us". "Yokkely dokelly", says Bob, "Lets do that".
They th
On Tue, Oct 22, 2019 at 2:21 PM Bjørn Mork wrote:
>
> Christopher Morrow writes:
>
> > The x.509 system, to be effective here would require a TrustAnchor /
> > Root-of-Trust that both parties agreed was acceptable...
>
> As in a shared TrustAnchor? No. Both ends could use a simple self
as an o
No,
> On Oct 22, 2019, at 2:08 PM, Keith Medcalf wrote:
>
> At this point further communications are encrypted and secure against
> eavesdropping.
The problem isn't the protocol being eavesdropped on. The data is already
published publicly by many people.
The problem is one of mutual authe
On Tuesday, 22 October, 2019 13:26, Jared Mauch
wrote:
>No,
>> On Oct 22, 2019, at 2:08 PM, Keith Medcalf
wrote:
>> At this point further communications are encrypted and secure against
>>eavesdropping.
>The problem isn't the protocol being eavesdropped on. The data is
already
>published pu
> On Oct 22, 2019, at 6:31 PM, Keith Medcalf wrote:
>
> I see. It is an AIC problem, not a CIA problem. TLS in its default
> usage is a CIA thing because, well, it was designed to solve CIA
> problems where even temporary secrecy is more important than being down
> for a week. As had been p
> Sent: Tuesday, October 22, 2019 8:26 PM
> To: Keith Medcalf
>
> No,
>
>
> > On Oct 22, 2019, at 2:08 PM, Keith Medcalf
> wrote:
> >
> > At this point further communications are encrypted and secure against
> eavesdropping.
>
> The problem isn't the protocol being eavesdropped on. The data i
real endgame from the people(s) proposing "BGP over
TLS"? It feel like someone is trying to create a job for himself over a
solution in search of a problem.
-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Be
On Wed, Oct 23, 2019 at 10:43 AM wrote:
>
> > Sent: Tuesday, October 22, 2019 8:26 PM
> > To: Keith Medcalf
> >
> > No,
> >
> >
> > > On Oct 22, 2019, at 2:08 PM, Keith Medcalf
> > wrote:
> > >
> > > At this point further communications are encrypted and secure against
> > eavesdropping.
> >
> >
n) it'd be nice to not have to
do a bunch of really heavyweight things just to get better
authen/integrity/ for my bgp traffic, I think.
> What is the real endgame from the people(s) proposing "BGP over TLS"? It
> feel like someone is trying to create a j
> there ARE problems with tcp-md5... some are "because we collectively
> didnt' squeak enough to get key-tables"
i believe many vendors implement key scheduling. no one uses it, and i
do not suggest they do.
randy
> From: Christopher Morrow
> Sent: Wednesday, October 23, 2019 6:53 PM
> Subject: Re: BGP over TLS
>
> On Wed, Oct 23, 2019 at 10:43 AM wrote:
> >
> > > Sent: Tuesday, October 22, 2019 8:26 PM
> > > To: Keith Medcalf
> > >
> > > N
On Thu, Oct 24, 2019 at 9:33 AM wrote:
>
> > From: Christopher Morrow
> > Sent: Wednesday, October 23, 2019 6:53 PM
> > Subject: Re: BGP over TLS
> >
> > On Wed, Oct 23, 2019 at 10:43 AM wrote:
> > >
> > > > Sent: Tuesday, October 22, 2019
> From: Christopher Morrow
> Sent: Friday, October 25, 2019 7:08 AM
>
> > > > So move from bilateral peering over common IX-LAN to direct
> > > > peering Or if a direct link is still not to be trusted do MACSEC.
> > > > Then it's all about you and the peer -if he/she screws you over de-peer.
> >
by an attempt to make a joke on DoH. I
didn't anticipate the sudden turn to serious discussion :-) Which
obviously was a good one. I am all for BGP over TLS, so let's discuss
https://laptop006.livejournal.com/60532.html
Bjørn
discussion :-) Which
> obviously was a good one. I am all for BGP over TLS, so let's discuss
> https://laptop006.livejournal.com/60532.html
If anyone is at all interested in this I'm happy to discuss and flesh
out anything that's not clear. After I wrote this (over a few bot
>On 21/10/19 6:30 pm, Bjørn Mork wrote:
>> Yes, and I really like Julien's proposal. It even looks pretty
>> complete. There are just a few details missing around how to make the
>> MD5 => TLS transition smooth.
>At least for those systems that run on Linux (which is most all of the
>major's
On Mon, Oct 21, 2019, at 17:30, Keith Medcalf wrote:
> Why do you need to do anything? TLS is Transport Layer Security and
> it's sole purpose is to protect communications from eavesdropping or
> modification by wiretappers on/in the line between points A and B. MD5
> in BGP is used for authe
On 10/21/19 11:30 AM, Keith Medcalf wrote:
> Why cannot one just put the MD5 authenticated connection inside a TLS
> connection? What is the advantage to be gained by replacing the
> authentication mechanism with weaker certificate authentication method
> available with TLS?
Self-issued certif
On 10/21/2019 1:25 PM, Brandon Martin wrote:
Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and
difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5
was intended to resolve. You can use null encryption with ESP or even
On 10/21/19 3:37 PM, Jeffrey Haas wrote:
> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
> keys.
Is anybody actually doing it in practice? Every transit and peering document
I've ever seen just talks about TCP-MD5 (if it talks about authentication at
all).
> The
> On Oct 21, 2019, at 3:25 PM, Brandon Martin wrote:
>
> On 10/21/19 11:30 AM, Keith Medcalf wrote:
>> Why cannot one just put the MD5 authenticated connection inside a TLS
>> connection? What is the advantage to be gained by replacing the
>> authentication mechanism with weaker certificate
This was one thing I highlighted to the people telling me how I secure my
network wrong. If it's HTTP and you lose a few clients maybe they don't care.
If it's BGP I have one client and I care a lot and that session dropping can be
gigs to tbps of traffic.
Sent from my iCar
> On Oct 21, 2019,
> On Oct 21, 2019, at 4:17 PM, Brandon Martin wrote:
>
> On 10/21/19 3:37 PM, Jeffrey Haas wrote:
>> BGP over ipsec works fine. But that said, it's mostly done with pre-shared
>> keys.
>
> Is anybody actually doing it in practice?
Absolutely. In the SP sector? Less clear.
>> The ugly is
On 10/21/19 4:41 PM, Jeffrey Haas wrote:
I'm not someone qualified, but I'll regurgitate what I've distilled from past
conversations with those who are.:-)
Presuming your key is strong enough, it may be infeasible to break it in a time
that's of interest to the parties involved. The primary i
38 matches
Mail list logo
