nanog mailing list archives

Re: MD5 considered harmful

From: Lee <ler762 () gmail com>
Date: Tue, 31 Jan 2012 14:56:52 -0500

On 1/31/12, Nick Hilliard <nick () foobar org> wrote:

On 31/01/2012 16:40, David Barak wrote:

Because downtime is a security issue too, and MD5 is more likely to
contribute to downtime (either via lost password, crypto load on CPU, or
other) than the problem it purports to fix.  The goal of a network
engineer is to move packets from A -> B.  The goal of a security
engineer is to keep that from happening.  A business needs to weigh the
cost and benefit of any given approach, and MD5 BGP auth does not come
out well in the of situations.


cpu load is negligible and is done in hardware on several platforms.  Lost
passwords can occur but if you have properly stored configuration backups,
they shouldn't be a major problem.  Also, they can be trivially decrypted
from C/J configuration files.

From my point of view, MD5 passwords serve two purposes:

  .. snip ..


2. they can be used to convince security auditors that the network is
secure and that they can now sod off and stop harassing me, kthxbai


+1

It isn't worth the time or effort trying to get an exception to their
'best practice'.

Lee

Current thread:

Re: MD5 considered harmful, (continued)
- - - Re: MD5 considered harmful Jeff Wheeler (Jan 27)
    - Re: MD5 considered harmful Keegan Holley (Jan 27)
    - Re: MD5 considered harmful Zaid Ali (Jan 27)
    - Re: MD5 considered harmful Patrick W. Gilmore (Jan 27)
    - Re: MD5 considered harmful John Kristoff (Jan 30)
    - Re: MD5 considered harmful Keegan Holley (Jan 30)
    - Re: MD5 considered harmful harbor235 (Jan 31)
    - Re: MD5 considered harmful David Barak (Jan 31)
    - Re: MD5 considered harmful Nick Hilliard (Jan 31)
    - Re: MD5 considered harmful harbor235 (Jan 31)
    - Re: MD5 considered harmful Lee (Jan 31)
    - Re: MD5? Joel jaeggli (Jan 27)
    - RE: MD5? George Bonser (Jan 27)