nanog mailing list archives

Re: MD5?

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 27 Jan 2012 14:59:43 -0500

On Fri, Jan 27, 2012 at 2:51 PM, Seth Mattinen <sethm () rollernet us> wrote:

On 1/27/12 11:26 AM, Brian Stengel wrote:

We have a potential customer that is asking for us to enable MD5
authentication on a TCP connection between two BGP peers?  Is this still
common practice today?  Any potential problems or gotchas  to keep in mind?


Sprint requires it to enable remote triggered blackhole.


lots of folks still use it yes. is it helpful? maybe? maybe not? is
this peering over a shared media (like a 10base-T hub).

You might point out that you'll be enabling this, then promptly
writing the 'secret' on a large whiteboard in your noc... because
chances are the config won't include it in rancid and ... you don't
have a place to store these securely that's not prone also to outages
:(

also, customers wander through your NOC, so...

Current thread:

MD5? Brian Stengel (Jan 27)
- Re: MD5? Seth Mattinen (Jan 27)
  - Re: MD5? Christopher Morrow (Jan 27)
    - Re: MD5? Jon Lewis (Jan 27)
    - Re: MD5? Christopher Morrow (Jan 27)
    - MD5 considered harmful Patrick W. Gilmore (Jan 27)
    - Re: MD5 considered harmful Christopher Morrow (Jan 27)
    - Re: MD5 considered harmful Grzegorz Janoszka (Jan 27)
    - Re: MD5 considered harmful Jared Mauch (Jan 27)
    - Re: MD5 considered harmful Keegan Holley (Jan 27)
    - Re: MD5 considered harmful Jeff Wheeler (Jan 27)
    - Re: MD5 considered harmful Keegan Holley (Jan 27)
    - Re: MD5 considered harmful Zaid Ali (Jan 27)

(Thread continues...)