Changing BGP TCP MD5 passwords (posted 2006-09-30)

The BGP TCP MD5 password mechanism (RFC 2385) is very useful to protect BGP sessions from attempts at unpleasantness by third parties. However, it is rather simplistic. One of the flaws is that there are no provisions for changing the password. In the old days, setting a new password for a neighbor would cause Cisco routers to tear down and reestablish the BGP session. Today, the session survives if the password or key is changed at more or less the same time at both ends. This requires a good deal of coordination. I must say that I can't remember anyone asking me to change an existing BGP password. But the security people insist that it's important to do this regularly, for instance, when employees leave. I think they have a different appreciation of the sensitivity of this key than those of us working in operations.

Anyway, Steve Bellovin, a well-known member of the IETF, has written this "internet draft" and submitted it for publication as an RFC:

http://www.ietf.org/internet-drafts/draft-bellovin-keyroll2385-03.txt (will be deleted after 6 months)

What he proposes is that a router can have more than one active key so it's possible for one end to change keys and the other end to go along with this without the need to coordinate the password change very closely. Unfortunately, it's still possible to configure the wrong key, or forget to change the key after agreeing to do so, and then the BGP session will go down at some point, probably conveniently in the middle of the night. See my posting to the IETF discussion list for details.

Well, progress isn't always progress, I guess. If you have any opinions on the matter, email me.