MD5 considered harmful

harbor235 harbor235 at
Tue Jan 31 13:42:22 UTC 2012

My thoughts are that you should filter traffic routed directly to your BGP
speaking devices, traffic routing through a edge device and to an edge
device are treated differently. BGP session protection using a MD5 password
by itself is not securing the control plane, but it is a component of an
overall secure edge posture. For example, md5 protection, plus edge
filtering polices, plus ttl security, plus .........,  make for a more
secure edge.

Also, It does not matter how many attempts compromising a BGP session
occurs, it only takes
one, so why not nail it down.


On Tue, Jan 31, 2012 at 12:39 AM, Keegan Holley
<keegan.holley at>wrote:

> I suppose so but BFD certainly has alot more moving parts then adding
> MDF checksums to an existing control packet.  I'm not saying everyone
> should turn it on or off for that matter.  I just don't see what the
> big deal is.  Most of the shops I've seen have it on because of some
> long forgotten engineering standard.
> 2012/1/30 John Kristoff <jtk at>:
> > On Fri, 27 Jan 2012 15:52:41 -0500
> > "Patrick W. Gilmore" <patrick at> wrote:
> >
> >> Unfortunately, Network Engineers are lazy, impatient, and frequently
> >> clueless as well.
> >
> > While the quantity of peering sessions I've had is far less than
> > yours, once upon a time when I had tried to get MD5 on dozens of peering
> > sessions I learned quite a bit about those engineers and those
> > networks.  I got to find out who couldn't do password management, who
> > never heard of MD5 and who had been listening to Patrick.  :-) All good
> > input that inform what else I might want to do to protect myself from
> > those networks or who I wouldn't mind having a business relationship
> > with.
> >
> > John
> >
> >

More information about the NANOG mailing list