BGP over TLS

[robert at mckay.com (Robert McKay)]

On 2019-10-21 16:30, Keith Medcalf wrote:
>> On 21/10/19 6:30 pm, Bjørn Mork wrote:
> 
>>> Yes, and I really like Julien's proposal.  It even looks pretty
>>> complete.  There are just a few details missing around how to make 
>>> the
>>> MD5 => TLS transition smooth.
> 
>> At least for those systems that run on Linux (which is most all of the
>> major's except Juniper) I suspect if we went to the relevant kernel 
>> folk
>> with a clear plan on how handling TCP-MD5 in a way that would make
>> transitions much easier they'd listen.
> 
> Why do you need to do anything?  TLS is Transport Layer Security and
> it's sole purpose is to protect communications from eavesdropping or
> modification by wiretappers on/in the line between points A and B.
> MD5 in BGP is used for authentication (rudimentary, but authentication
> nonetheless).
> 
> Why cannot one just put the MD5 authenticated connection inside a TLS
> connection?  What is the advantage to be gained by replacing the
> authentication mechanism with weaker certificate authentication method
> available with TLS?

The MD5 authentication is built into TCP options.. not obvious how you 
would transport it over TLS which afaik doesn't offer similar 
functionality.

You'd probably have to basically tunnel TCP frames inside TLS, which 
doesn't really sound ideal (reimplement TCP in userspace?)

Either that or maybe use some other simpler MD5 based authentication 
(unrelated to the TCP implementation currently used in BGP).. but then 
that raises lots of questions like why even use MD5.

Rob