[151043] in North American Network Operators' Group
Re: BGP MD5 at IXP
daemon@ATHENA.MIT.EDU (Andy Davidson)
Sat Mar 10 04:43:05 2012
From: Andy Davidson <andy@nosignal.org>
In-Reply-To: <CAK6zc0nbsgT_De9A9egQR_WaHkapaDy6J0OJRwvJ_K=Ebgr_JA@mail.gmail.com>
Date: Sat, 10 Mar 2012 09:42:10 +0000
To: Jay Hanke <jayhanke@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 9 Mar 2012, at 22:24, Jay Hanke wrote:
> How critical is BGP MD5 at Internet Exchange Points? Would lack of
> support for MD5 authentication on route servers prevent some peers
> from multilaterally connecting? Do most exchange operators support it?
At LONAP in London, the route-servers do not support TCP MD5 =
authentication for BGP. i don't think that this policy has led to =
anyone refusing to connect (about 80 of the 110 or so peers connected to =
the exchange use the Multilateral service - it is optional to connect to =
the MLP). We have no plans to enable TCP MD5 on this service.
Because TCP MD5 packets touch a router's CPU, using MD5 introduces a new =
attack vector - see nanogii passim (e.g. =
http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf). Don't =
do it. :-)
Andy=
