On Dec 10, 2012, at 12:17 PM, Randy Bush wrote: >> reports of current ISP behavior wrt TCP MD5 keys seems to be that they >> currently decide never to change keys at all, ironically. > > currently, you would have to synch simultaneous config changes at both > ends of the wire, not reasonable. and, instead of vendors doing the > simple hack of rfc 4808, we've been waiting five+ years for the promised > nirvana of tcp-ao. a kewpie doll for the first person who can cite a > real deployed tcp-ao implementation.
And that's between adjacent BGP speaking routers for a single transport connection! I can't wait until my prefix doesn't make it 'n' AS hops through the Internet because I used an origin or forward signing key in BGPSEC secure path bits and an RP (BGP router) upstream didn't have that particular validation key in their onboard state 'at the ready. -danny _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
