BCP38 making it work, solving problems

Patrick W Gilmore patrick at ianai.net
Wed Oct 20 06:37:13 UTC 2004

On Oct 19, 2004, at 1:14 PM, JP Velders wrote:

> jacking the connection is in a completely different class as someone
> bombarding you with a bunch of forged BGP packets to close down a
> session. Without that MD5 checksum you are quite vulnerable to that. I
> haven't seen a vendor come up with a solution to that, because the
> problem is on a much more vendor-neutral level...

We haven't talked about this in a few months, so what the hell....

Have you actually done the work to see how many packets it takes to 
shut down a session with and without MD5 enabled?  (The question is 
rhetorical, since your post shows that you have not.)

Back on topic, the MD5 debate is not an exact apples-to-apples 
comparison of BCP38.  Stopping people from shutting down your BGP 
sessions is not the same as letting your customer hurt me while 
claiming to be a third party.

Put another way, MD5 on BGP sessions is a personal choice per network.  
I made my decision.  You are welcome and encouraged to make your own.  
Neither will effect the other, except where our two networks meet.  
(And then I am positive we can come to some mutual understanding.)

BCP38 is not a personal decision.  Not implementing it hurts the whole 
Internet, not just your little corner.


More information about the NANOG mailing list