On 1/27/12 12:35 , Christopher Morrow wrote: > On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis <jle...@lewis.org> wrote: >> On Fri, 27 Jan 2012, Christopher Morrow wrote: >> >>> lots of folks still use it yes. is it helpful? maybe? maybe not? is >>> this peering over a shared media (like a 10base-T hub). >>> >>> You might point out that you'll be enabling this, then promptly >>> writing the 'secret' on a large whiteboard in your noc... because >>> chances are the config won't include it in rancid and ... you don't >>> have a place to store these securely that's not prone also to outages >>> :( >>> >>> also, customers wander through your NOC, so... >> >> >> All that may be true, but still, the random hacker in Romania who wants in >> on their BGP session won't know the secret...probably. > > 1) that person doesn't exist > 2) they need a LOT more info about what's going on anyway > 3) I bet they will get a copy of the config from at least: > a) vendor data sources > b) ebay purchases of gear > c) pwning a noc-worker and getting things done from there. > > There are far better ways to skin this cat.
I don't think md5 is that great, but I absolutely wouldn't use a clear text password if I'm going to use anything at all. I don't think shared seceret management is dramatically harder than any other form of of configuration management, modula rekeying requires coordination with a third party and is therefore hard. joel
