nanog mailing list archives

Re: MD5 considered harmful

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 27 Jan 2012 16:21:49 -0500

On Fri, Jan 27, 2012 at 3:52 PM, Patrick W. Gilmore <patrick () ianai net> wrote:

MD5 on BGP sessions is the canonical example of a cure worse than the disease.  There has been /infinitely/ more 
downtime caused by MD5 than the mythical attack it protects again.  (This is true because anything times zero is 
still zero.)


I don't disagree with patrick here... but 'infinitely more', is hard
to measure :) "Most likely there have been far more lengthy outages
due to lost/changed/incorrect key material than were caused by the
problem this is meant to solve for."

-chris

It is

Current thread:

MD5? Brian Stengel (Jan 27)
- Re: MD5? Seth Mattinen (Jan 27)
  - Re: MD5? Christopher Morrow (Jan 27)
    - Re: MD5? Jon Lewis (Jan 27)
    - Re: MD5? Christopher Morrow (Jan 27)
    - MD5 considered harmful Patrick W. Gilmore (Jan 27)
    - Re: MD5 considered harmful Christopher Morrow (Jan 27)
    - Re: MD5 considered harmful Grzegorz Janoszka (Jan 27)
    - Re: MD5 considered harmful Jared Mauch (Jan 27)
    - Re: MD5 considered harmful Keegan Holley (Jan 27)
    - Re: MD5 considered harmful Jeff Wheeler (Jan 27)
    - Re: MD5 considered harmful Keegan Holley (Jan 27)
    - Re: MD5 considered harmful Zaid Ali (Jan 27)
    - Re: MD5 considered harmful Patrick W. Gilmore (Jan 27)
    - Re: MD5 considered harmful John Kristoff (Jan 30)
    - Re: MD5 considered harmful Keegan Holley (Jan 30)
    - Re: MD5 considered harmful harbor235 (Jan 31)

(Thread continues...)