[j-nsp] Fwd: Re: BGP Multipath
Saku Ytti
saku at ytti.fi
Sun Jul 21 03:40:29 EDT 2013
On (2013-07-21 07:31 +0200), Mark Tinka wrote:
> I'd normally use different MD5 passwords for different BGP
> sessions, even though they are with to the same remote
> network.
For eBGP this is manageable, as there must already be system for per-eBGP
session configuration.
For iBGP it's very inconvenient, as typically system is missing, as iBGP
config just appears from base templates or RR might be using allow/listen
stanza and not require any configuration at all.
I'd really hope vendors would implement TCP-AO RFC, it would fix this
problem right up, as actual configured password is used just as 'random'
data for KDF, which produces the real password used on the wire. And KDF
uses SIP, DIP, SPORT, DPORT and initial sequence numbers for entropy, so
someone who tries to recover the password, only has lifetime of that single
TCP session, if the TCP session is reset, it's new password.
It's baffling how naive MD5 RFC is.
--
++ytti
More information about the juniper-nsp
mailing list