North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Results of query on auth usage
- From: Barbara Fraser
- Date: Wed Jun 05 16:37:22 2002
I received 20 responses which isn't exactly overwhelming :-). All of the
responses included usage information for eBGP-MD5 and a few provided
information on MD5 for interior protocols. In addition to these 20 I also
received a few more with commentary. Conclusion from these messages?
+ only 2 required their peers to use eBGP-MD5
+ many wanted to use it but peers either refused or didn't know how
+ some issues concerning whether this protects you from any "real" threat
So, there you have it. Below are the breakouts and miscellaneous remarks
that were included in the email I received. Thanks to all of you who took
the time to send me something.
2 responded that they used it and required it of all peers
12 others replied they used BGP-MD5 whenever their peers supported it
1 replied they use it only when required by a peer
5 said they do not use it
Specific usage comments:
Out of 100+ peers, only 1 requires it
I use MD5 with BGP where I can, but <ISP> told me they don't support it so
I'm limited in where I can deploy.
1 out of 25+ peers supports it
1 or 2 out of the 80+ eBGP sessions support it
2 out of 200 eBGP sessions support it
iBGP/OSPF/ISIS with MD5
2 reported using this but were in the 5 above that don't use eBGP-MD5
4 others reported using this as well as eBGP-MD5
no reports of using ISIS w MD5
1 said they do not use it
+ For the most part, the greater vulnerability (still not well-understood
by the script-kiddie community, thankfully) is probably a simple DoS of the
appropriate listening port for the routing protocol.
+ It is our belief that it is highly unlikely that someone would have into
your network to inject erroneous route advertisements.
+ The most difficult challenge I face there is convincing people of the
"need" with the lack of a published exploit that the MD5 authentication
+ Despite all the whining about the potential for an attack, I'm not aware
of anyone having actually done so. Routers are notoriously under-CPU'd, and
I think most engineers would rather have routes converge 30% faster than
protect against an attack noone has ever done.
+ no hacker could figure out how to get into the infrastructure far enough
to attack that so it's not worth attacking
+.It is very hard for a big provider to change their procedure for setting
up MD5 authentication
+ Some ISPs are practically religious about using them, usually the result
of a single person at the ISP pushing it.
+ On a case by case basis you can get most ISPs to setup MD5 on your
particular BGP session, once you found the right
+ The person at the other end didn't know how to enable it so you couldn't
+ As far as internal IGP (OSPF) MD5 authentication, I was always a little
leary of using it because I wasn't comfortable with key rollover when you
approached the maximum number of key-id's, (I believe it was 255). At that
point, you're forced to take a hit when you have to remove the key entirely
and start from a low integer value key-id. Had that limitation not been
there, I would've deployed IGP MD5 authentication.