On 18/12/2012 23:15, Anantha Ramaiah wrote: > Also TCP MD5 with periodic key rollover can make the life harder for TCP > MD5 based collision attacks. there is no facility in rfc 2385 for automatic key rollover, which means that any key changes must be done manually. I've come across gratuitous key rollover happening exactly once in my career: namely where (as far as I understand) a particular company had used the same MD5 key for all ebgp peering sessions worldwide. They eventually decided that this wasn't such a good idea and subsequently changed keys whenever they changed routers / bgp sessions / did port upgrades / etc. Other than that, I've never come across a case of someone wanting to proactively change a session key because it seemed to be a good idea. Just sayin'. Nick