Re: Peering at public exchange authentication

["Bob Evans" <bob () FiberInternetCenter com>]

Almost all good and popular peering points utilize MAC locks on ports for
all peers. (With few exceptions. )  To hijack a bgp session one would need
not only a port on the peering network but a MAC address registered with
the peering network - or their packets won't transverse the port through
the switches to your port.

So the extra CPU load of MD5, in my opinon, is a waste on an peering edge
router with many peers. With lots of peers on a router - all the timing
and table building after a needed maintenance reboot could lead to table
building slowness and establishment timing sluggishness issues (depending
on the router of course).

If a peering network doesn't lock most all participants (and any router
servers they have) by the MAC of the peering device I won't be a
participant.

All that said - I know of a way a customer of a network can create havoc
by using a device/router that allows the MAC to be modified like a
variable. However, for the most part that havoc would be limited to that
network that hacking customer is located on. This would also be a truly
rare event as there needs to be something the network also allowed for the
customer to get routable layer 2 access to the peering port.

Bob Evans
CTO




> MD5 on BGP Considered Harmful
>
> --
> TTFN,
> patrick
>
> Composed on a virtual keyboard, please forgive typos.
>
>
> > On Sep 29, 2017, at 13:41, craig washington
> > <craigwashington01 () hotmail com> wrote:
> >
> > Hello all,
> >
> >
> > Wondering your views or common practices for using authentication via
> > BGP at public exchange locations.
> >
> > Just for example, lets say you peer with 5 people in the TELX in
> > Atlanta, do you require them to all use authentication for the BGP
> > session?
> >
> > Ive seem some use it and some not use it, is it just a preference?