Re: MD5?

[Joel jaeggli <joelja () bogus com>]

On 1/27/12 12:35 , Christopher Morrow wrote:
> On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis <jlewis () lewis org> wrote:
> > On Fri, 27 Jan 2012, Christopher Morrow wrote:
> >
> > > lots of folks still use it yes. is it helpful? maybe? maybe not? is
> > > this peering over a shared media (like a 10base-T hub).
> > >
> > > You might point out that you'll be enabling this, then promptly
> > > writing the 'secret' on a large whiteboard in your noc... because
> > > chances are the config won't include it in rancid and ... you don't
> > > have a place to store these securely that's not prone also to outages
> > > :(
> > >
> > > also, customers wander through your NOC, so...
> >
> >
> > All that may be true, but still, the random hacker in Romania who wants in
> > on their BGP session won't know the secret...probably.
>
> 1) that person doesn't exist
> 2) they need a LOT more info about what's going on anyway
> 3) I bet they will get a copy of the config from at least:
>    a) vendor data sources
>    b) ebay purchases of gear
>    c) pwning a noc-worker and getting things done from there.
>
> There are far better ways  to skin this cat.

I don't think md5 is that great, but I absolutely wouldn't use a clear
text password if I'm going to use anything at all.

I don't think shared seceret management is dramatically harder than any
other form of of configuration management, modula rekeying requires
coordination with a third party and is therefore hard.

joel