MD5 BGP performance on a VXR?

Henning Brauer hb-nanog at bsws.de
Fri Jun 11 19:13:16 UTC 2004


* Patrick W.Gilmore <patrick at ianai.net> [2004-06-11 20:54]:
> On Jun 11, 2004, at 8:21 AM, Newell, Tony wrote:
> >My first question would be how big is your prefix list per BGP session?
> >What is really going to task this router with 25 sessions is the BGP
> >Scanner and BGP Router processes.  To my knowledge MD5 is just for
> >authenticating the session.  I could be wrong.
> Every TCP packet in the BGP session (including HELLOs) will have to go 
> through the MD5 process.

there is no HELLO in bgp. and it is not really related to bgp either, 
it is just the common case that they're used together. with tcp md5sig, 
each and every packet gets a md5 signature - build from the packet header 
and a shared secret - added, and the receiving side - which, of course, 
has to have the secret for that - does the same again. if the signature 
in the packet and the signature the receiver calculated don't match, 
the packet is discarded (well, should. FreeBSD's implementation does 
sign outgoing packets and simply ignores signatures on incoming 
packets, very useful. ok, I don't know wether this has been fixed, but 
thanks for the laugh).

> This happens even if things like the sequence number is wrong (at least 
> on some versions of IOS).

I consider this Yet Another IOS Bug.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb at bsws.de - henning at openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)



More information about the NANOG mailing list