[149066] in North American Network Operators' Group
Re: MD5 considered harmful
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Jan 27 18:23:09 2012
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <0B6DEEFE-0049-4223-BB76-4A6A52D929E2@ianai.net>
Date: Fri, 27 Jan 2012 18:20:17 -0500
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote:
> Your network, your decision. On my network, we do not do MD5. We do =
more traffic than anyone and have to be in the top 10 of total eBGP =
peering sessions on the planet. Guess how many times we've seen anyone =
even attempt this attack? If you guessed more than zero, guess again.
>=20
> I am fully well aware saying this in a public place means someone, =
probably many someones, will try it now just to prove me wrong. I still =
don't care. What does that tell you?
>=20
> STOP USING MD5 ON BGP.
I would generally say: If you are on a p2p link or control the network, =
then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) =
I do recommend it there, as it will help mitigate cases where someone =
can hijack your session by putting your IP/ASN whatnot on the router.
The threat (Attack) never became real and we've now had enough time that =
even the slowest carriers are running fixed code.
- Jared=
