[81688] in North American Network Operators' Group
Re: md5 for bgp tcp sessions
daemon@ATHENA.MIT.EDU (Joe Abley)
Thu Jun 23 10:54:35 2005
In-Reply-To: <20050623135744.GA27320@roxanne.org>
Cc: Todd Underwood <todd@renesys.com>, nanog@merit.edu
From: Joe Abley <jabley@isc.org>
Date: Thu, 23 Jun 2005 10:52:35 -0400
To: Eric Gauthier <eric@roxanne.org>
Errors-To: owner-nanog@merit.edu
On 2005-06-23, at 09:57, Eric Gauthier wrote:
>>> likely need to make modifications to our IGP/EGP setup. Though
>>> we filter
>>> OSPF multicast traffic, we wanted to add in MD5 passwords to our
>>> neighbors.
>>
>> just a quick comment here. i would encourage you not to do that.
>
> Honestly, I completely agree with you that MD5'ing our OSPF
> adjacencies isn't
> a great idea (I've so far stalled its roll-out).
Just in case it's not obvious to any onlookers here, Eric was talking
about using MD5 authentication in OSPF adjacencies, and Todd is
talking about using the TCP MD5 signature option (RFC2385) between
BGP peers.
They are two different things (although they both involve routing
protocols and the MD5 algorithm): not all arguments for or against
one will apply to the other.
Joe
