nanog mailing list archives
Re: BGP MD5 at IXP
From: Nick Hilliard <nick () foobar org>
Date: Sun, 11 Mar 2012 22:02:47 +0000
On 10/03/2012 11:24, Robert E. Seastrom wrote:
Hopefully your modern exchange point router has some sort of control plane policing.
My gut feeling is that lots don't. The behaviour of various operating systems regarding MD5 processing is interesting. *BSD (and I assume consequently junos) checks ttl and sequence numbers before checking md5. Linux and IOS do md5 first, and I just wonder about the wisdom of this approach due to the slightly higher computational overhead of calculating the hash. In general, I'm slightly in favour of md5 at ixps, not because of session security, but when exchange participants leave an ixp, lots of people don't bother to remove the bgp sessions. If as a newcomer to the IXP you get a re-used ip address, without md5 it can sometimes be possible to do Interesting and Bad Things with old sessions from other ixp participants. FWIW, for the INEX route server system we: - use bsd - implement packet filtering to accept tcp/bgp only from the ixp subnet - generally use md5 for ipv4 sessions - generally don't use md5 for ipv6 sessions for historical reasons This works for us.
I agree with Andy's conclusion. Don't do it unless whoever you're peering with demands it. It's not worth the complexity to set it up in the first place, and it's not worth your time to argue against it if someone is quite convinced that enabling md5 on your bgp session will save the world.
yep, agreed. Doesn't make that much difference in real life so don't lose sleep about it. The only real difference it makes is that it can help shut up "security" audit people (the tick-box compliance variety) from their ivory tower whining. Nick
Current thread:
- BGP MD5 at IXP Jay Hanke (Mar 09)
- Re: BGP MD5 at IXP Patrick W. Gilmore (Mar 09)
- Re: BGP MD5 at IXP Andy Davidson (Mar 10)
- Re: BGP MD5 at IXP Robert E. Seastrom (Mar 10)
- Re: BGP MD5 at IXP Nick Hilliard (Mar 11)
- Re: BGP MD5 at IXP Robert E. Seastrom (Mar 10)