Results of query on auth usage

• Previous message (by thread): KPNQwest ns.eu.net server.
• Next message (by thread): Results of query on auth usage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I received 20 responses which isn't exactly overwhelming :-). All of the 
responses included usage information for eBGP-MD5 and a few provided 
information on MD5 for interior protocols. In addition to these 20 I also 
received a few more with commentary. Conclusion from these messages?

+ only 2 required their peers to use eBGP-MD5
+ many wanted to use it but peers either refused or didn't know how
+ some issues concerning whether this protects you from any "real" threat

So, there you have it. Below are the breakouts and miscellaneous remarks 
that were included in the email I received. Thanks to all of you who took 
the time to send me something.

Barb

==================================

eBGP-MD5 use

2 responded that they used it and required it of all peers
12 others replied they used BGP-MD5 whenever their peers supported it
1 replied they use it only when required by a peer
5 said they do not use it

Specific usage comments:
Out of 100+ peers, only 1 requires it
I use MD5 with BGP where I can, but <ISP> told me they don't support it so 
I'm limited in where I can deploy.
1 out of 25+ peers supports it
1 or 2 out of the 80+ eBGP sessions support it
2 out of 200 eBGP sessions support it


iBGP/OSPF/ISIS with MD5

2 reported using this but were in the 5 above that don't use eBGP-MD5
4 others reported using this as well as eBGP-MD5
no reports of using ISIS w MD5
1 said they do not use it

Miscellaneous comments:
+ For the most part, the greater vulnerability (still not well-understood 
by the script-kiddie community, thankfully) is probably a simple DoS of the 
appropriate listening port for the routing protocol.
+ It is our belief that it is highly unlikely that someone would have into 
your network to inject erroneous route advertisements.
+ The most difficult challenge I face there is convincing people of the 
"need" with the lack of a published exploit that the MD5 authentication 
would prevent.
+ Despite all the whining about the potential for an attack, I'm not aware 
of anyone having actually done so. Routers are notoriously under-CPU'd, and 
I think most engineers would rather have routes converge 30% faster than 
protect against an attack noone has ever done.
+ no hacker could figure out how to get into the infrastructure far enough 
to attack that so it's not worth attacking
+.It is very hard for a big provider to change their procedure for setting 
up MD5 authentication
+ Some ISPs are practically religious about using them, usually the result 
of a single person at the ISP pushing it.
+ On a case by case basis you can get most ISPs to setup MD5 on your 
particular BGP session, once you found the right
engineer.
+ The person at the other end didn't know how to enable it so you couldn't 
do it
+ As far as internal IGP (OSPF) MD5 authentication, I was always a little 
leary of using it because I wasn't comfortable with key rollover when you 
approached the maximum number of key-id's, (I believe it was 255).  At that 
point, you're forced to take a hit when you have to remove the key entirely 
and start from a low integer value key-id.  Had that limitation not been 
there, I would've deployed IGP MD5 authentication.

• Previous message (by thread): KPNQwest ns.eu.net server.
• Next message (by thread): Results of query on auth usage
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]