On 10/21/19 11:30 AM, Keith Medcalf wrote:
Why cannot one just put the MD5 authenticated connection inside a TLS connection? What is the advantage to be gained by replacing the authentication mechanism with weaker certificate authentication method available with TLS?
Self-issued certificates with either CA pinning or end-certificate hash pinning is arguably more secure than a shared passphrase as used by TCP-MD5 in that someone with knowledge of the secrets of one end cannot use it to impersonate the other end whereas a shared passphrase is inherently shared and symmetric in that respect. Whether that really provides much value in the context of a BGP session is perhaps questionable. As has been pointed out elsewhere in the thread, TLS does also support PSK-based authentication and keying rather than certificates. It's not commonly used since the normal uses of TLS are one-server<->many-clients which doesn't lend itself well to such things, but it's at least defined. Wouldn't ipsec be a "cleaner" solution to this (buginess of implementations and difficulty of configuration aside)? It would also solve the TCP-RST injection issues that TCP-MD5 was intended to resolve. You can use null encryption with ESP or even just AH if you want authentication without confidentiality, too. Or are we all going to admit that ipsec is almost dead in that it's just too darned complex? Just run BGP over TCP as normal and install a security policy that says it must use ipsec with appropriate (agreed-upon) authentication. "Just", right? -- Brandon Martin