> Yes, servers will support AO, if for no other reason than they support
> BGP and MD5 now.
the problem is that they don't really. check out, for example, the
freebsd md5 hack. it is send-only, does not check on receive. i am
told there are similar messes elsewhere.
basically this is a mess.
On Sat, Jun 4, 2011 at 10:02 AM, Joe Touch wrote:
> So basically the problem is that:
>
> - routers don't all support IPsec for the control plane
>
> - servers don't yet implement AO
routers don't yet support AO either :( at least not in juniper 10.x
code nor cisco 12.2(S) or 15 code...
(or not t
So basically the problem is that:
- routers don't all support IPsec for the control plane
- servers don't yet implement AO
I repeat that there's a known solution that is already being used for BGP:
Use AO if available
Use MD5 in the meantime
Yes, servers will support AO, if for no other reaso
On Jun 3, 2011, at 7:15 PM, Uma Chunduri wrote:
> exactly how is MD5 the weakest link here? some particular words about the
> threat model + ability to subvert a running session which ships a few
> megabytes/minute around would be in order here.
>
> [Uma]
>
> 1. Wang, X., H. Yu, "How to break
Hi all,
Trying to catch up with you all here.
>From reading the mail thread it seems to me that:
- tcp-md5 is available but undesirable
- tcp-ao is desirable but unavailable so far
- ssh is available and slightly undesirable for
performance reasons but desirable in
security terms
That woul
