My thoughts are that you should filter traffic routed directly to your BGP speaking devices, traffic routing through a edge device and to an edge device are treated differently. BGP session protection using a MD5 password by itself is not securing the control plane, but it is a component of an overall secure edge posture. For example, md5 protection, plus edge filtering polices, plus ttl security, plus ........., make for a more secure edge.
Also, It does not matter how many attempts compromising a BGP session occurs, it only takes one, so why not nail it down. Mike On Tue, Jan 31, 2012 at 12:39 AM, Keegan Holley <keegan.hol...@sungard.com>wrote: > I suppose so but BFD certainly has alot more moving parts then adding > MDF checksums to an existing control packet. I'm not saying everyone > should turn it on or off for that matter. I just don't see what the > big deal is. Most of the shops I've seen have it on because of some > long forgotten engineering standard. > > > 2012/1/30 John Kristoff <j...@cymru.com>: > > On Fri, 27 Jan 2012 15:52:41 -0500 > > "Patrick W. Gilmore" <patr...@ianai.net> wrote: > > > >> Unfortunately, Network Engineers are lazy, impatient, and frequently > >> clueless as well. > > > > While the quantity of peering sessions I've had is far less than > > yours, once upon a time when I had tried to get MD5 on dozens of peering > > sessions I learned quite a bit about those engineers and those > > networks. I got to find out who couldn't do password management, who > > never heard of MD5 and who had been listening to Patrick. :-) All good > > input that inform what else I might want to do to protect myself from > > those networks or who I wouldn't mind having a business relationship > > with. > > > > John > > > > > >
