BGP MD5 at IXP

• Previous message (by thread): BGP MD5 at IXP
• Next message (by thread): BGP MD5 at IXP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9 Mar 2012, at 22:24, Jay Hanke wrote:

> How critical is BGP MD5 at Internet Exchange Points? Would lack of
> support for MD5 authentication on route servers prevent some peers
> from multilaterally connecting? Do most exchange operators support it?

At LONAP in London, the route-servers do not support TCP MD5 authentication for BGP.  i don't think that this policy has led to anyone refusing to connect (about 80 of the 110 or so peers connected to the exchange use the Multilateral service - it is optional to connect to the MLP).  We have no plans to enable TCP MD5 on this service.

Because TCP MD5 packets touch a router's CPU, using MD5 introduces a new attack vector - see nanogii passim (e.g. http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf).  Don't do it. :-)

Andy

• Previous message (by thread): BGP MD5 at IXP
• Next message (by thread): BGP MD5 at IXP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]