In message <199906141822.SAA05311at_private>, Craig Metz writes: > > The (IMO) obvious fix for this problem is to use IPsec's Authentication > Header (AH) and to deprecate the TCP MD5 option. There are several freely > available and viable AH implementations for BSD (including the NRL, OpenBSD, > and KAME ones) and I believe that modern IOS has AH code in it though it's not > currently set up for protecting routing traffic. AH covers all of the TCP > header and options, as well as typically having a better MAC function (the RFC > 2385 option builds a MAC by appending the key, which is possibly the weakest > way to do it). The RFC 2385 scheme describes a hack that was developed precisely because IPSEC wasn't ready, and *something* was needed to protect BGP traffic. You're absolutely right -- no one should use it for any new work.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:49:45 PDT