MD5?

• Previous message (by thread): MD5 considered harmful
• Next message (by thread): MD5?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/27/12 12:35 , Christopher Morrow wrote:
> On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis <jlewis at lewis.org> wrote:
>> On Fri, 27 Jan 2012, Christopher Morrow wrote:
>>
>>> lots of folks still use it yes. is it helpful? maybe? maybe not? is
>>> this peering over a shared media (like a 10base-T hub).
>>>
>>> You might point out that you'll be enabling this, then promptly
>>> writing the 'secret' on a large whiteboard in your noc... because
>>> chances are the config won't include it in rancid and ... you don't
>>> have a place to store these securely that's not prone also to outages
>>> :(
>>>
>>> also, customers wander through your NOC, so...
>>
>>
>> All that may be true, but still, the random hacker in Romania who wants in
>> on their BGP session won't know the secret...probably.
> 
> 1) that person doesn't exist
> 2) they need a LOT more info about what's going on anyway
> 3) I bet they will get a copy of the config from at least:
>    a) vendor data sources
>    b) ebay purchases of gear
>    c) pwning a noc-worker and getting things done from there.
> 
> There are far better ways  to skin this cat.

I don't think md5 is that great, but I absolutely wouldn't use a clear
text password if I'm going to use anything at all.

I don't think shared seceret management is dramatically harder than any
other form of of configuration management, modula rekeying requires
coordination with a third party and is therefore hard.

joel

• Previous message (by thread): MD5 considered harmful
• Next message (by thread): MD5?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]