[196036] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Peering at public exchange authentication

daemon@ATHENA.MIT.EDU (Bob Evans)
Sat Sep 30 04:27:51 2017

X-Original-To: nanog@nanog.org
In-Reply-To: <1879C90C-92CA-4035-B504-6BE3015D5712@ianai.net>
Date: Fri, 29 Sep 2017 11:20:10 -0700
From: "Bob Evans" <bob@FiberInternetCenter.com>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Reply-To: bob@FiberInternetCenter.com
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

Almost all good and popular peering points utilize MAC locks on ports for
all peers. (With few exceptions. )  To hijack a bgp session one would need
not only a port on the peering network but a MAC address registered with
the peering network - or their packets won't transverse the port through
the switches to your port.

So the extra CPU load of MD5, in my opinon, is a waste on an peering edge
router with many peers. With lots of peers on a router - all the timing
and table building after a needed maintenance reboot could lead to table
building slowness and establishment timing sluggishness issues (depending
on the router of course).

If a peering network doesn't lock most all participants (and any router
servers they have) by the MAC of the peering device I won't be a
participant.

All that said - I know of a way a customer of a network can create havoc
by using a device/router that allows the MAC to be modified like a
variable. However, for the most part that havoc would be limited to that
network that hacking customer is located on. This would also be a truly
rare event as there needs to be something the network also allowed for the
customer to get routable layer 2 access to the peering port.

Bob Evans
CTO




> MD5 on BGP Considered Harmful
>
> --
> TTFN,
> patrick
>
> Composed on a virtual keyboard, please forgive typos.
>
>
>> On Sep 29, 2017, at 13:41, craig washington
>> <craigwashington01@hotmail.com> wrote:
>>
>> Hello all,
>>
>>
>> Wondering your views or common practices for using authentication via
>> BGP at public exchange locations.
>>
>> Just for example, lets say you peer with 5 people in the TELX in
>> Atlanta, do you require them to all use authentication for the BGP
>> session?
>>
>> Ive seem some use it and some not use it, is it just a preference?
>



home help back first fref pref prev next nref lref last post