nanog mailing list archives
Re: MD5 considered harmful
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Fri, 27 Jan 2012 19:40:07 -0500
On Jan 27, 2012, at 6:20 PM, Jared Mauch wrote:
On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote:Your network, your decision. On my network, we do not do MD5. We do more traffic than anyone and have to be in the top 10 of total eBGP peering sessions on the planet. Guess how many times we've seen anyone even attempt this attack? If you guessed more than zero, guess again. I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to prove me wrong. I still don't care. What does that tell you? STOP USING MD5 ON BGP.I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router.
As much as this scares me, I am going to disagree with Jared. If another member on the IX fabric wants to do something bad, then spoofing your address and causing BGP sessions to flap is the least of your worries. I've personally configured thousand of sessions at dozens of IXes for well over a decade. I have yet to see a single case where MD5 would have been useful. OTOH, it has caused quite a bit of downtime. There is no perfect solution, everything has issues. Past performance is no guarantee of future profits. All you can do is try your level-headed best to keep the packets flowing as quickly, reliably, and cheaply as possible. MD5 is a detriment to _all three_ of those goals. -- TTFN, patrick
Current thread:
- Re: MD5?, (continued)
- Re: MD5? Jon Lewis (Jan 27)
- Re: MD5? Christopher Morrow (Jan 27)
- MD5 considered harmful Patrick W. Gilmore (Jan 27)
- Re: MD5 considered harmful Christopher Morrow (Jan 27)
- Re: MD5 considered harmful Grzegorz Janoszka (Jan 27)
- Re: MD5 considered harmful Jared Mauch (Jan 27)
- Re: MD5 considered harmful Keegan Holley (Jan 27)
- Re: MD5 considered harmful Jeff Wheeler (Jan 27)
- Re: MD5 considered harmful Keegan Holley (Jan 27)
- Re: MD5 considered harmful Zaid Ali (Jan 27)
- Re: MD5 considered harmful Patrick W. Gilmore (Jan 27)
- Re: MD5 considered harmful John Kristoff (Jan 30)
- Re: MD5 considered harmful Keegan Holley (Jan 30)
- Re: MD5 considered harmful harbor235 (Jan 31)
- Re: MD5 considered harmful David Barak (Jan 31)
- Re: MD5 considered harmful Nick Hilliard (Jan 31)
- Re: MD5 considered harmful harbor235 (Jan 31)
- Re: MD5 considered harmful Lee (Jan 31)
- Re: MD5? Joel jaeggli (Jan 27)
- RE: MD5? George Bonser (Jan 27)