[70275] in North American Network Operators' Group
Re: MD5 proliferation statistics
daemon@ATHENA.MIT.EDU (Patrick W.Gilmore)
Thu May 6 17:53:00 2004
In-Reply-To: <409A870B.4050808@nipper.de>
Cc: Patrick W.Gilmore <patrick@ianai.net>
From: Patrick W.Gilmore <patrick@ianai.net>
Date: Thu, 6 May 2004 17:52:16 -0400
To: nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
On May 6, 2004, at 2:42 PM, Arnold Nipper wrote:
> On 06.05.2004 20:03 Steve Gibbard wrote:
>
>> I'm curious as to what sorts of response rates those who have been
>> actively contacting peers to ask for MD5 configuration have been
>> getting,
>> as well as whether other networks that have not been being proactive
>> about
>> this have been seeing contact rates similar to ours.
>>
>
> At DE-CIX (www.de-cix.net) we have two route-servers (resilient setup).
> We were not really actively contacting peers (i.e. did not really press
> them to activate MD5).
>
> Our figures (counted per AS not per peering as we have double peerings
> both on our side as well as on customer side having two+ routers) are:
>
> 120 peerings
> 21 MD5 peerings
>
> ratio: 17.5%
>
> Better than expected. I told a friend that MD5 peerings would be <10%.
Now I have been pretty vocal about the whole MD5 thing, but I have to
say that route-servers are probably not the best indication of
MD5-ness. Session which pass traffic get a little higher priority at
most organizations.
Unfortunately, my organization was not passive until we got to see what
the threat actually was, so our numbers are not useful. Would any
traffic-carrying-organization care to discuss their numbers?
And anyone want to admit seeing an RST-style attack? Any attack which
MD5 would have blocked?
--
TTFN,
patrick
