[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BGP MD5 at IXP

Subject: BGP MD5 at IXP
From: andy at nosignal.org (Andy Davidson)
Date: Sat, 10 Mar 2012 09:42:10 +0000
In-reply-to: <CAK6zc0nbsgT_De9A9egQR_WaHkapaDy6J0OJRwvJ_K=Ebgr_JA@mail.gmail.com>
References: <CAK6zc0nbsgT_De9A9egQR_WaHkapaDy6J0OJRwvJ_K=Ebgr_JA@mail.gmail.com>

On 9 Mar 2012, at 22:24, Jay Hanke wrote:

> How critical is BGP MD5 at Internet Exchange Points? Would lack of
> support for MD5 authentication on route servers prevent some peers
> from multilaterally connecting? Do most exchange operators support it?

At LONAP in London, the route-servers do not support TCP MD5 authentication for BGP.  i don't think that this policy has led to anyone refusing to connect (about 80 of the 110 or so peers connected to the exchange use the Multilateral service - it is optional to connect to the MLP).  We have no plans to enable TCP MD5 on this service.

Because TCP MD5 packets touch a router's CPU, using MD5 introduces a new attack vector - see nanogii passim (e.g. http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf).  Don't do it. :-)

Andy

Follow-Ups:
- BGP MD5 at IXP
  - From: rs at seastrom.com (Robert E. Seastrom)

References:
- BGP MD5 at IXP
  - From: jayhanke at gmail.com (Jay Hanke)

Prev by Date: filtering /48 is going to be necessary
Next by Date: Questions about anycasting setup
Previous by thread: BGP MD5 at IXP
Next by thread: BGP MD5 at IXP
Index(es):
- Date
- Thread