[74919] in North American Network Operators' Group
Re: BCP38 making it work, solving problems
daemon@ATHENA.MIT.EDU (Joe Abley)
Thu Oct 21 15:13:05 2004
In-Reply-To: <Pine.LNX.4.58.0410202147480.25752@web1.mmaero.com>
Cc: Patrick W Gilmore <patrick@ianai.net>, nanog@merit.edu
From: Joe Abley <jabley@isc.org>
Date: Thu, 21 Oct 2004 15:12:00 -0400
To: Jon Lewis <jlewis@lewis.org>
Errors-To: owner-nanog-outgoing@merit.edu
On 20 Oct 2004, at 21:49, Jon Lewis wrote:
> On Wed, 20 Oct 2004, Patrick W Gilmore wrote:
>
>> Have you actually done the work to see how many packets it takes to
>> shut down a session with and without MD5 enabled? (The question is
>> rhetorical, since your post shows that you have not.)
>
> Just a bit more sauce for the goose...enabling MD5 on BGP peers under
> certain latest in their train IOS versions will immediately crash IOS.
>
> Guess how I know that?
In a similar vein, upgrading from certain flavours of 12.0 to certain
flavours of 12.2 seems to cause password hashes to become
disfunctional, leaving BGP sessions down after the first reboot until
the passwords are re-entered in plain text from the command line.
(Guess how I know that, too).
This is not a statement in support of not using MD5 auth passwords.
Just a reminder to include MD5 passwords in your lab testing before
deployment, if you use them.
Joe
