On 18/12/2012 23:15, Anantha Ramaiah wrote:
Also TCP MD5 with periodic key rollover can make the life harder for TCP
MD5 based collision attacks.
there is no facility in rfc 2385 for automatic key rollover, which means
that any key changes must be done manually. I've come across gratuitous
key rollover happening exactly once in my career: namely where (as far as I
understand) a particular company had used the same MD5 key for all ebgp
peering sessions worldwide. They eventually decided that this wasn't such
a good idea and subsequently changed keys whenever they changed routers /
bgp sessions / did port upgrades / etc. Other than that, I've never come
across a case of someone wanting to proactively change a session key
because it seemed to be a good idea. Just sayin'.
Nick