MD5 considered harmful
ler762 at gmail.com
Tue Jan 31 13:56:52 CST 2012
On 1/31/12, Nick Hilliard <nick at foobar.org> wrote:
> On 31/01/2012 16:40, David Barak wrote:
>> Because downtime is a security issue too, and MD5 is more likely to
>> contribute to downtime (either via lost password, crypto load on CPU, or
>> other) than the problem it purports to fix. The goal of a network
>> engineer is to move packets from A -> B. The goal of a security
>> engineer is to keep that from happening. A business needs to weigh the
>> cost and benefit of any given approach, and MD5 BGP auth does not come
>> out well in the of situations.
> cpu load is negligible and is done in hardware on several platforms. Lost
> passwords can occur but if you have properly stored configuration backups,
> they shouldn't be a major problem. Also, they can be trivially decrypted
> from C/J configuration files.
> From my point of view, MD5 passwords serve two purposes:
.. snip ..
> 2. they can be used to convince security auditors that the network is
> secure and that they can now sod off and stop harassing me, kthxbai
It isn't worth the time or effort trying to get an exception to their
More information about the NANOG