key change for TCP-MD5

Assumptions, assumptions.

If your IPSEC is being done in hardware and you have
appropriate QoS
mechanisms
in your network, you will probably not be able to pass your
best effort
traffic but the rest should be OK.

Can we get back to the regularly scheduled programming
instead of throwing big numbers around?
 
Barry had a point, if you do IPSEC stupidly, it does not
protect you.
If you pay attention to detail, it does help. It is not the
panacea.

For the purpose of securing BGP, I think IPSEC is easy to
configure (at
least on IOS which is what I'm used to), and will do the
job. And for
this application, I don't see why cert's can't be used
either.

Regards

Bora


> -----Original Message-----
> From: Valdis.Kletnieksvt.edu
[mailto:Valdis.Kletnieksvt.edu] 
> Sent: Friday, June 23, 2006 1:46 PM
> To: Bora Akyol
> Cc: Barry Greene (bgreene); Ross Callon; nanogmerit.edu
> Subject: Re: key change for TCP-MD5
> 
> On Fri, 23 Jun 2006 13:35:20 PDT, Bora Akyol said:
> 
> > The validity of your statement depends
tremendously on how IPSEC is 
> > implemented.
> 
> If 113 million packets all show up at once, you're
going to 
> get DoS'ed, whether or not you have IPSEC enabled.
> 

On Jun 23, 2006, at 2:02 PM, Bora Akyol wrote:

> If your IPSEC is being done in hardware and you have
appropriate QoS
> mechanisms in your network, you will probably not be
able to pass  
> your best effort
> traffic but the rest should be OK.

Unless the DoS is within the IPSEC tunnel and crowds out the
good  
traffic.

;>

Your original post seemed to imply that IPSEC is an anti-DoS
 
mechanism, as does the statement 'If you pay attention to
detail, it  
does help.'  IPSEC is not an anti-DoS mechanism at all,
it's  
important to be clear about that.

------------------------------------------------------------
----------
Roland Dobbins <rdobbinscisco.com> //
408.527.6376 voice

      Everything has been said.  But nobody listens.

                    -- Roger Shattuck