On 21 Oct 2019, at 12:05, Keith Medcalf <kmedcalf@dessus.com> wrote:
On Monday, 21 October, 2019 09:44, Robert McKay <robert@mckay.com> wrote:
The MD5 authentication is built into TCP options.. not obvious how you would transport it over TLS which afaik doesn't offer similar functionality.
AHA! I understand now and sit corrected. I was under the mistaken impression that MD5 authentication was an application level thing, not a TCP level thing.
Well, TLS exists within a TCP session, and that TCP session could incorporate the MD5 signature option. I guess. Julien's BGP-STARTTLS idea is interesting. I wonder about the practicality of deploying certificates to every BGP speaker that are useful for strict checking by neighbours, though. Perhaps I've been too long with my hands out of routers and things have moved on, but it seems to me that the history of certificate management in routers is not a rich tapestry of triumph. Without strict checking in both directions, the threat model with TLS looks pretty similar to that with TCP-MD5 with not very secret secrets, which I gather is one of the deficiencies that the TLS proposal seeks to address. Joe