[149077] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: MD5 considered harmful

daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Fri Jan 27 19:40:36 2012

From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <32B1BC9B-C529-499A-A59B-219C3BF0A227@puck.nether.net>
Date: Fri, 27 Jan 2012 19:40:07 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Jan 27, 2012, at 6:20 PM, Jared Mauch wrote:
> =08On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote:
>=20
>> Your network, your decision.  On my network, we do not do MD5.  We do =
more traffic than anyone and have to be in the top 10 of total eBGP =
peering sessions on the planet.  Guess how many times we've seen anyone =
even attempt this attack?  If you guessed more than zero, guess again.
>>=20
>> I am fully well aware saying this in a public place means someone, =
probably many someones, will try it now just to prove me wrong.  I still =
don't care.  What does that tell you?
>>=20
>> STOP USING MD5 ON BGP.
>=20
> I would generally say: If you are on a p2p link or control the =
network, then yeah, you don't need md5.  If you are at a shared medium =
(e.g.: IX) I do recommend it there, as it will help mitigate cases where =
someone can hijack your session by putting your IP/ASN whatnot on the =
router.


As much as this scares me, I am going to disagree with Jared.

If another member on the IX fabric wants to do something bad, then =
spoofing your address and causing BGP sessions to flap is the least of =
your worries.  I've personally configured thousand of sessions at dozens =
of IXes for well over a decade.  I have yet to see a single case where =
MD5 would have been useful.  OTOH, it has caused quite a bit of =
downtime.

There is no perfect solution, everything has issues.  Past performance =
is no guarantee of future profits.  All you can do is try your =
level-headed best to keep the packets flowing as quickly, reliably, and =
cheaply as possible.  MD5 is a detriment to _all three_ of those goals.

--=20
TTFN,
patrick
home help back first fref pref prev next nref lref last post