RE: BGP over TLS

The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.

While I do not represent the Cisco view, personally I like the idea of BGP over TLS.


Christopher Morrow <> writes:

isn't julien's idea more akin to DOT then DOH ?

Yes, and I really like Julien's proposal. It even looks pretty
complete. There are just a few details missing around how to make the
MD5 => TLS transition smooth.

At least for those systems that run on Linux (which is most all of the
major's except Juniper) I suspect if we went to the relevant kernel folk
with a clear plan on how handling TCP-MD5 in a way that would make
transitions much easier they'd listen.

The troll response at the top of my post was actually based on a
response from one of the kernel folk, who dislike TCP options even more
than network operators.

Sorry for any confusion caused by an attempt to make a joke on DoH. I
didn't anticipate the sudden turn to serious discussion :slight_smile: Which
obviously was a good one. I am all for BGP over TLS, so let's discuss

If anyone is at all interested in this I'm happy to discuss and flesh
out anything that's not clear. After I wrote this (over a few bottles of
red on the flight to this year) I sent it to a bunch of
people that had expressed interest, including a few BGP implementations,
but nobody bit.

Excellent, that's news to me.

I had been told Juniper finally also shipped TCP-AO in a very recent JunOS.

Both of those are great, but without upstream OS support that leaves a
bunch of purely software implementations out in the cold.