Peering at public exchange authentication

Fri Sep 29 18:20:10 UTC 2017

Almost all good and popular peering points utilize MAC locks on ports for
all peers. (With few exceptions. )  To hijack a bgp session one would need
not only a port on the peering network but a MAC address registered with
the peering network - or their packets won't transverse the port through
the switches to your port.

So the extra CPU load of MD5, in my opinon, is a waste on an peering edge
router with many peers. With lots of peers on a router - all the timing
and table building after a needed maintenance reboot could lead to table
building slowness and establishment timing sluggishness issues (depending
on the router of course).

If a peering network doesn't lock most all participants (and any router
servers they have) by the MAC of the peering device I won't be a
participant.

All that said - I know of a way a customer of a network can create havoc
by using a device/router that allows the MAC to be modified like a
variable. However, for the most part that havoc would be limited to that
network that hacking customer is located on. This would also be a truly
rare event as there needs to be something the network also allowed for the
customer to get routable layer 2 access to the peering port.

Bob Evans
CTO

> MD5 on BGP Considered Harmful
>
> --
> TTFN,
> patrick
>
> Composed on a virtual keyboard, please forgive typos.
>
>
>> On Sep 29, 2017, at 13:41, craig washington
>> <craigwashington01 at hotmail.com> wrote:
>>
>> Hello all,
>>
>>
>> Wondering your views or common practices for using authentication via
>> BGP at public exchange locations.
>>
>> Just for example, lets say you peer with 5 people in the TELX in
>> Atlanta, do you require them to all use authentication for the BGP
>> session?
>>
>> Ive seem some use it and some not use it, is it just a preference?
>