[149062] in North American Network Operators' Group
Re: MD5?
daemon@ATHENA.MIT.EDU (Joel jaeggli)
Fri Jan 27 18:01:49 2012
Date: Fri, 27 Jan 2012 15:00:53 -0800
From: Joel jaeggli <joelja@bogus.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
In-Reply-To: <CAL9jLaah5USAPA50SgxLyTi2sdQdpCrP_mzf3sPGBw1jMLDksQ@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/27/12 12:35 , Christopher Morrow wrote:
> On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis <jlewis@lewis.org> wrote:
>> On Fri, 27 Jan 2012, Christopher Morrow wrote:
>>
>>> lots of folks still use it yes. is it helpful? maybe? maybe not? is
>>> this peering over a shared media (like a 10base-T hub).
>>>
>>> You might point out that you'll be enabling this, then promptly
>>> writing the 'secret' on a large whiteboard in your noc... because
>>> chances are the config won't include it in rancid and ... you don't
>>> have a place to store these securely that's not prone also to outages
>>> :(
>>>
>>> also, customers wander through your NOC, so...
>>
>>
>> All that may be true, but still, the random hacker in Romania who wants in
>> on their BGP session won't know the secret...probably.
>
> 1) that person doesn't exist
> 2) they need a LOT more info about what's going on anyway
> 3) I bet they will get a copy of the config from at least:
> a) vendor data sources
> b) ebay purchases of gear
> c) pwning a noc-worker and getting things done from there.
>
> There are far better ways to skin this cat.
I don't think md5 is that great, but I absolutely wouldn't use a clear
text password if I'm going to use anything at all.
I don't think shared seceret management is dramatically harder than any
other form of of configuration management, modula rekeying requires
coordination with a third party and is therefore hard.
joel
