nanog mailing list archives
Re: BGP MD5 at IXP
From: Andy Davidson <andy () nosignal org>
Date: Sat, 10 Mar 2012 09:42:10 +0000
On 9 Mar 2012, at 22:24, Jay Hanke wrote:
How critical is BGP MD5 at Internet Exchange Points? Would lack of support for MD5 authentication on route servers prevent some peers from multilaterally connecting? Do most exchange operators support it?
At LONAP in London, the route-servers do not support TCP MD5 authentication for BGP. i don't think that this policy has led to anyone refusing to connect (about 80 of the 110 or so peers connected to the exchange use the Multilateral service - it is optional to connect to the MLP). We have no plans to enable TCP MD5 on this service. Because TCP MD5 packets touch a router's CPU, using MD5 introduces a new attack vector - see nanogii passim (e.g. http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf). Don't do it. :-) Andy
Current thread:
- BGP MD5 at IXP Jay Hanke (Mar 09)
- Re: BGP MD5 at IXP Patrick W. Gilmore (Mar 09)
- Re: BGP MD5 at IXP Andy Davidson (Mar 10)
- Re: BGP MD5 at IXP Robert E. Seastrom (Mar 10)
- Re: BGP MD5 at IXP Nick Hilliard (Mar 11)
- Re: BGP MD5 at IXP Robert E. Seastrom (Mar 10)