nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MD5 considered harmful

From: Jared Mauch <jared () puck nether net>
Date: Fri, 27 Jan 2012 18:20:17 -0500

On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote:


Your network, your decision.  On my network, we do not do MD5.  We do more traffic than anyone and have to be in the 
top 10 of total eBGP peering sessions on the planet.  Guess how many times we've seen anyone even attempt this 
attack?  If you guessed more than zero, guess again.

I am fully well aware saying this in a public place means someone, probably many someones, will try it now just to 
prove me wrong.  I still don't care.  What does that tell you?

STOP USING MD5 ON BGP.


I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5.  If you are at a 
shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session 
by putting your IP/ASN whatnot on the router.

The threat (Attack) never became real and we've now had enough time that even the slowest carriers are running fixed 
code.

- Jared
Previous By Date Next
Previous By Thread Next

Current thread: