[e2e] Receiving RST on a MD5 TCP connection.

RJ Atkinson rja at extremenetworks.com
Mon Jul 4 02:31:21 PDT 2005


On Jul 1, 2005, at 14:05, Mitesh Dalal wrote:
> what we are discussing is how fast can we detect a stale connections
> to a rebooted host. New keys come into picture only if the host is up.
> For TCP MD5 scenarios we dont change keys ever.

Mitesh,

     Years of operational experience says that at present, using the
existing specification, stale connections are detected more than
sufficiently quickly for a rebooted BGP router.  Deployment of
TCP MD5 by ISPs preceded the RFC describing the mechanism, so the
age of the RFC represents a lower bound, not an upper bound,
on the duration of operational experience in this particular case.

     In short, you are worrying about something that is not actually
a problem in an operational IP network using BGP with TCP MD5.

> yes, so lets use a combination lock, the owner does not have to carry
> a key around (and potentially loose it) and instead simply remember
> the right combination (hint:tcpsecure) to gain access :)

     I'm sure that I don't understand the above paragraph.  If
you have some proposal for enhancing BGP, the right place to
send that proposal is probably the IETF's IDR Working Group,
though putting out an I-D with one's ideas is rarely a bad step
to undertake.

Cheers,

Ran
rja at extremenetworks.com



More information about the end2end-interest mailing list