[48421] in North American Network Operators' Group
Re: route authentication
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Tue Jun 4 11:07:28 2002
Date: Tue, 4 Jun 2002 11:06:51 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: batz <batsy@vapour.net>
Cc: Sean Donelan <sean@donelan.com>,
Barbara Fraser <byfraser@cisco.com>, nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0206041009140.70855-100000@vapour.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Jun 04, 2002 at 10:20:10AM -0400, batz wrote:
>
> Maybe Cisco could add this as a default requirement of the configuration
> that had to be explicitly disabled? In fact, it would be nice if all
> protocol configurations had to have their authentication manually
> disabled.
With respect to BGP MD5 at least, a shared key is required, so you can't
make it "default".
As for why its not more commonly used... Despite all the whining about the
potential for an attack, I'm not aware of anyone having actually done so.
Routers are notoriously under-CPU'd, and I think most engineers would
rather have routes converge 30% faster than protect against an attack
noone has ever done.
That and its just one more thing to negotiate with the other side. :)
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
