[149070] in North American Network Operators' Group
Re: MD5 considered harmful
daemon@ATHENA.MIT.EDU (Keegan Holley)
Fri Jan 27 18:36:07 2012
In-Reply-To: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net>
From: Keegan Holley <keegan.holley@sungard.com>
Date: Fri, 27 Jan 2012 18:35:00 -0500
To: Jared Mauch <jared@puck.nether.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2012/1/27 Jared Mauch <jared@puck.nether.net>:
>
> On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote:
>
>> Your network, your decision. =A0On my network, we do not do MD5. =A0We d=
o more traffic than anyone and have to be in the top 10 of total eBGP peeri=
ng sessions on the planet. =A0Guess how many times we've seen anyone even a=
ttempt this attack? =A0If you guessed more than zero, guess again.
>>
>> I am fully well aware saying this in a public place means someone, proba=
bly many someones, will try it now just to prove me wrong. =A0I still don't=
care. =A0What does that tell you?
>>
>> STOP USING MD5 ON BGP.
>
> I would generally say: If you are on a p2p link or control the network, t=
hen yeah, you don't need md5. =A0If you are at a shared medium (e.g.: IX) I=
do recommend it there, as it will help mitigate cases where someone can hi=
jack your session by putting your IP/ASN whatnot on the router.
>
> The threat (Attack) never became real and we've now had enough time that =
even the slowest carriers are running fixed code.
>
> - Jared
>
I kind of agree that there isn't much of a vector here, but I don't
agree that MD5 hurts if done correctly. Is it really that hard to
find a semi-secure place to store passwords for an entire company?
There's also the question of engineering standards. Is it an aging
practice? Probably... Is it worth spending time to update it and train
everyone not to use it? Probably not. I'll be happy when the world
realizes that it's ok to let gig-e auto-negotiate. I've never really
seen MD5 cause issues.
