Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Results of query on auth usage

  • From: Barbara Fraser
  • Date: Wed Jun 05 16:37:22 2002


I received 20 responses which isn't exactly overwhelming :-). All of the responses included usage information for eBGP-MD5 and a few provided information on MD5 for interior protocols. In addition to these 20 I also received a few more with commentary. Conclusion from these messages?

+ only 2 required their peers to use eBGP-MD5
+ many wanted to use it but peers either refused or didn't know how
+ some issues concerning whether this protects you from any "real" threat

So, there you have it. Below are the breakouts and miscellaneous remarks that were included in the email I received. Thanks to all of you who took the time to send me something.

Barb

==================================

eBGP-MD5 use

2 responded that they used it and required it of all peers
12 others replied they used BGP-MD5 whenever their peers supported it
1 replied they use it only when required by a peer
5 said they do not use it

Specific usage comments:
Out of 100+ peers, only 1 requires it
I use MD5 with BGP where I can, but <ISP> told me they don't support it so I'm limited in where I can deploy.
1 out of 25+ peers supports it
1 or 2 out of the 80+ eBGP sessions support it
2 out of 200 eBGP sessions support it


iBGP/OSPF/ISIS with MD5

2 reported using this but were in the 5 above that don't use eBGP-MD5
4 others reported using this as well as eBGP-MD5
no reports of using ISIS w MD5
1 said they do not use it

Miscellaneous comments:
+ For the most part, the greater vulnerability (still not well-understood by the script-kiddie community, thankfully) is probably a simple DoS of the appropriate listening port for the routing protocol.
+ It is our belief that it is highly unlikely that someone would have into your network to inject erroneous route advertisements.
+ The most difficult challenge I face there is convincing people of the "need" with the lack of a published exploit that the MD5 authentication would prevent.
+ Despite all the whining about the potential for an attack, I'm not aware of anyone having actually done so. Routers are notoriously under-CPU'd, and I think most engineers would rather have routes converge 30% faster than protect against an attack noone has ever done.
+ no hacker could figure out how to get into the infrastructure far enough to attack that so it's not worth attacking
+.It is very hard for a big provider to change their procedure for setting up MD5 authentication
+ Some ISPs are practically religious about using them, usually the result of a single person at the ISP pushing it.
+ On a case by case basis you can get most ISPs to setup MD5 on your particular BGP session, once you found the right
engineer.
+ The person at the other end didn't know how to enable it so you couldn't do it
+ As far as internal IGP (OSPF) MD5 authentication, I was always a little leary of using it because I wasn't comfortable with key rollover when you approached the maximum number of key-id's, (I believe it was 255). At that point, you're forced to take a hit when you have to remove the key entirely and start from a low integer value key-id. Had that limitation not been there, I would've deployed IGP MD5 authentication.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.