nanog mailing list archives
Re: Peering at public exchange authentication
From: "Bob Evans" <bob () FiberInternetCenter com>
Date: Fri, 29 Sep 2017 11:20:10 -0700
Almost all good and popular peering points utilize MAC locks on ports for all peers. (With few exceptions. ) To hijack a bgp session one would need not only a port on the peering network but a MAC address registered with the peering network - or their packets won't transverse the port through the switches to your port. So the extra CPU load of MD5, in my opinon, is a waste on an peering edge router with many peers. With lots of peers on a router - all the timing and table building after a needed maintenance reboot could lead to table building slowness and establishment timing sluggishness issues (depending on the router of course). If a peering network doesn't lock most all participants (and any router servers they have) by the MAC of the peering device I won't be a participant. All that said - I know of a way a customer of a network can create havoc by using a device/router that allows the MAC to be modified like a variable. However, for the most part that havoc would be limited to that network that hacking customer is located on. This would also be a truly rare event as there needs to be something the network also allowed for the customer to get routable layer 2 access to the peering port. Bob Evans CTO
MD5 on BGP Considered Harmful -- TTFN, patrick Composed on a virtual keyboard, please forgive typos.On Sep 29, 2017, at 13:41, craig washington <craigwashington01 () hotmail com> wrote: Hello all, Wondering your views or common practices for using authentication via BGP at public exchange locations. Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session? Ive seem some use it and some not use it, is it just a preference?
Current thread:
- Peering at public exchange authentication craig washington (Sep 29)
- Re: Peering at public exchange authentication Patrick W. Gilmore (Sep 29)
- Re: Peering at public exchange authentication Bob Evans (Sep 29)
- Re: Peering at public exchange authentication Job Snijders (Sep 29)
- Re: Peering at public exchange authentication BRAD RAYMO (Sep 29)
- Re: Peering at public exchange authentication Dave Temkin (Sep 30)
- Re: Peering at public exchange authentication Patrick W. Gilmore (Sep 29)