RE: key change for TCP-MD5

Assumptions, assumptions.

If your IPSEC is being done in hardware and you have appropriate QoS
in your network, you will probably not be able to pass your best effort
traffic but the rest should be OK.

Can we get back to the regularly scheduled programming
instead of throwing big numbers around?

Barry had a point, if you do IPSEC stupidly, it does not protect you.
If you pay attention to detail, it does help. It is not the panacea.

For the purpose of securing BGP, I think IPSEC is easy to configure (at
least on IOS which is what I'm used to), and will do the job. And for
this application, I don't see why cert's can't be used either.



Unless the DoS is within the IPSEC tunnel and crowds out the good traffic.


Your original post seemed to imply that IPSEC is an anti-DoS mechanism, as does the statement 'If you pay attention to detail, it does help.' IPSEC is not an anti-DoS mechanism at all, it's important to be clear about that.