Mailing List Archive

FWIW -- We've asked for that feature now in any RFP/RFQs we send to the usual gang of $vendors.

Thats our method to get adoption, else they get a black-mark/non-comply in the [BGP section] when it comes time to score the responses.

- CK.



> On 27 Sep 2023, at 10:49, Barry Greene via juniper-nsp <juniper-nsp@puck.nether.net> wrote:
>
> Hi Team,
>
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed, your experiences, and thoughts?
>
> This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..
>
> 1. The Vendors are not supporting yet. Which means a lot of older systems would not be able to support a BGP session with TCP-AO.
> 2. People have to tried is operationally.
>
> Sharing you thoughts would be helpful …...
>
> Thanks,
>
> Barry
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

On Wed, 27 Sept 2023 at 03:50, Barry Greene via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:

> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed, your experiences, and thoughts?

For the longest time (like close to decade) no one supported it at
all, not even Juniper, because Juniper implementation was pre-RFC
which was incompatible with RFC.

To my understanding today there is support in Junos, IOS-XE, IOS-XR,
SROS, EOS and VRP. I have no operational experience to share.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[Warning: vendor anecdata follows]

In bgp-land where we're a primary motivator, but only a client of tcp-ao, we've seen a few minor bugs from the field primarily dealing with keychain configuration or rollover issues in the last few years. Basically enough activity to suggest people are minimally playing with it, to possibly deploying it. The folk in JTAC would be able to tell us more by mining configs, but for good reasons they don't want us poking through customer configs too arbitrarily. In terms of my experience for "bug activity as a proxy for deployment", I'd guess we're still moving in early stages, but it's happening.

The fact that tcp-ao support in linux is becoming more pervasive will likely help us close some gaps and likely provide better support for vendors that use that as their underlying OS.

One note to keep in mind in terms of roll-out is implementations with NSR support have to do rather unpleasant things to TCP stacks in order to implement an already tricky feature. This is one of the reasons why deployment across vendors is slow.

-- Jeff

+/v8-On 9/27/23, 1:35 AM, "juniper-nsp on behalf of Saku Ytti via juniper-nsp" <juniper-nsp-bounces@puck.nether.net <mailto:juniper-nsp-bounces@puck.nether.net> on behalf of juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net>> wrote:


[External Email. Be cautious of content]





Juniper Business Use Only
On Wed, 27 Sept 2023 at 03:50, Barry Greene via juniper-nsp
<juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net>> wrote:


> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP peering Sessions?
>
> I+IBk-m not touching routers right now. I+IBk-m wondering if anyone has deployed, your experiences, and thoughts?


For the longest time (like close to decade) no one supported it at
all, not even Juniper, because Juniper implementation was pre-RFC
which was incompatible with RFC.


To my understanding today there is support in Junos, IOS-XE, IOS-XR,
SROS, EOS and VRP. I have no operational experience to share.


--
+-+-ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net>
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!D7sD_mpaj-TIBufn4Z23joLPE5sAOkFNYOp61NWZUc66Runi5hGMtg5vhM1F-mCgYZyo2cZQFupyvEgQgWODqps$ <https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!D7sD_mpaj-TIBufn4Z23joLPE5sAOkFNYOp61NWZUc66Runi5hGMtg5vhM1F-mCgYZyo2cZQFupyvEgQgWODqps$>



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

FWIW, I deployed it for iBGP on MX gear in 20.4 with no concerns for an ASN I manage. No issues in our lab with a mix of 20.4, 21.2 and 22.4, all classic JunOS. I haven't tried it any other scenario.

-Michael

> -----Original Message-----
> From: juniper-nsp <juniper-nsp-bounces@puck.nether.net> On Behalf Of Barry
> Greene via juniper-nsp
> Sent: Tuesday, September 26, 2023 7:50 PM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on
> their BGP peering Sessions?
>
> Hi Team,
>
> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
> peering Sessions?
>
> I’m not touching routers right now. I’m wondering if anyone has deployed,
> your experiences, and thoughts?
>
> This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..
>
> 1. The Vendors are not supporting yet. Which means a lot of older systems
> would not be able to support a BGP session with TCP-AO.
> 2. People have to tried is operationally.
>
> Sharing you thoughts would be helpful …...
>
> Thanks,
>
> Barry
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

I only know of one production eBGP deployment (prove me wrong!)

https://labs.ripe.net/author/andrew-gallo/production-deployment-of-tcp-authentication-option/

Happens to be between two routers that I control (but it's still eBGP)

I'd love to hear about more deployments

There is a github repo with some interop results and config examples

https://github.com/TCP-AO/

Please share your experiences


On 9/27/2023 10:56 AM, Michael Hare via juniper-nsp wrote:
> FWIW, I deployed it for iBGP on MX gear in 20.4 with no concerns for an ASN I manage. No issues in our lab with a mix of 20.4, 21.2 and 22.4, all classic JunOS. I haven't tried it any other scenario.
>
> -Michael
>
>> -----Original Message-----
>> From: juniper-nsp <juniper-nsp-bounces@puck.nether.net> On Behalf Of Barry
>> Greene via juniper-nsp
>> Sent: Tuesday, September 26, 2023 7:50 PM
>> To: juniper-nsp@puck.nether.net
>> Subject: [j-nsp] Q. Is anyone deploying TCP Authentication Option (TCP-AO) on
>> their BGP peering Sessions?
>>
>> Hi Team,
>>
>> Q. Is anyone deploying TCP Authentication Option (TCP-AO) on their BGP
>> peering Sessions?
>>
>> I’m not touching routers right now. I’m wondering if anyone has deployed,
>> your experiences, and thoughts?
>>
>> This is suppose to be the “replacement” for BGP MD5, ‘but’ I’m hearing …..
>>
>> 1. The Vendors are not supporting yet. Which means a lot of older systems
>> would not be able to support a BGP session with TCP-AO.
>> 2. People have to tried is operationally.
>>
>> Sharing you thoughts would be helpful …...
>>
>> Thanks,
>>
>> Barry
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp