MD5 considered harmful

Lee ler762 at gmail.com
Tue Jan 31 13:56:52 CST 2012


On 1/31/12, Nick Hilliard <nick at foobar.org> wrote:
> On 31/01/2012 16:40, David Barak wrote:
>> Because downtime is a security issue too, and MD5 is more likely to
>> contribute to downtime (either via lost password, crypto load on CPU, or
>> other) than the problem it purports to fix.  The goal of a network
>> engineer is to move packets from A -> B.  The goal of a security
>> engineer is to keep that from happening.  A business needs to weigh the
>> cost and benefit of any given approach, and MD5 BGP auth does not come
>> out well in the of situations.
>
> cpu load is negligible and is done in hardware on several platforms.  Lost
> passwords can occur but if you have properly stored configuration backups,
> they shouldn't be a major problem.  Also, they can be trivially decrypted
> from C/J configuration files.
>
> From my point of view, MD5 passwords serve two purposes:
  .. snip ..
>
> 2. they can be used to convince security auditors that the network is
> secure and that they can now sod off and stop harassing me, kthxbai

+1

It isn't worth the time or effort trying to get an exception to their
'best practice'.

Lee



More information about the NANOG mailing list