1. Introduction

   The TCP-MD5 option [RFC2385] is most commonly used to secure BGP
   sessions between routers.  However, changing the long-term key is
   difficult, since the change needs to be synchronized between
   different organizations.  Worse yet, if the keys are out of sync, it
   may break the connection between the two routers, rendering repair
   attempts difficult.

   The proper solution involves some sort of key management protocol.
   Apart from the complexity of such things, RFC 2385prop was not written
   with key changes in mind.  In particular, there is no KeyID field in
   the option, which means that even a key management protocol would run
   into the same problem.

   Fortunately, a heuristic permits key change despite this protocol
   deficiency.  The change can be installed unilaterally at one end of a
   connection; it is fully compatible with the existing protocol.

1.1. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].