[j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?

Wed Sep 27 10:26:03 EDT 2023

[Warning: vendor anecdata follows]

In bgp-land where we're a primary motivator, but only a client of tcp-ao, we've seen a few minor bugs from the field primarily dealing with keychain configuration or rollover issues in the last few years.  Basically enough activity to suggest people are minimally playing with it, to possibly deploying it.  The folk in JTAC would be able to tell us more by mining configs, but for good reasons they don't want us poking through customer configs too arbitrarily.  In terms of my experience for "bug activity as a proxy for deployment", I'd guess we're still moving in early stages, but it's happening.

The fact that tcp-ao support in linux is becoming more pervasive will likely help us close some gaps and likely provide better support for vendors that use that as their underlying OS.

One note to keep in mind in terms of roll-out is implementations with NSR support have to do rather unpleasant things to TCP stacks in order to implement an already tricky feature.  This is one of the reasons why deployment across vendors is slow.

-- Jeff

On 9/27/23, 1:35 AM, "juniper-nsp on behalf of Saku Ytti via juniper-nsp" <juniper-nsp-bounces at puck.nether.net <mailto:juniper-nsp-bounces at puck.nether.net> on behalf of juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>> wrote:

[External Email. Be cautious of content]

Juniper Business Use Only
On Wed, 27 Sept 2023 at 03:50, Barry Greene via juniper-nsp
<juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>> wrote:

> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed, your experiences, and thoughts?

For the longest time (like close to decade) no one supported it at
all, not even Juniper, because Juniper implementation was pre-RFC
which was incompatible with RFC.

To my understanding today there is support in Junos, IOS-XE, IOS-XR,
SROS, EOS and VRP. I have no operational experience to share.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!D7sD_mpaj-TIBufn4Z23joLPE5sAOkFNYOp61NWZUc66Runi5hGMtg5vhM1F-mCgYZyo2cZQFupyvEgQgWODqps$ <https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!D7sD_mpaj-TIBufn4Z23joLPE5sAOkFNYOp61NWZUc66Runi5hGMtg5vhM1F-mCgYZyo2cZQFupyvEgQgWODqps$>