On 1/31/12, Nick Hilliard <n...@foobar.org> wrote: > On 31/01/2012 16:40, David Barak wrote: >> Because downtime is a security issue too, and MD5 is more likely to >> contribute to downtime (either via lost password, crypto load on CPU, or >> other) than the problem it purports to fix. The goal of a network >> engineer is to move packets from A -> B. The goal of a security >> engineer is to keep that from happening. A business needs to weigh the >> cost and benefit of any given approach, and MD5 BGP auth does not come >> out well in the of situations. > > cpu load is negligible and is done in hardware on several platforms. Lost > passwords can occur but if you have properly stored configuration backups, > they shouldn't be a major problem. Also, they can be trivially decrypted > from C/J configuration files. > > From my point of view, MD5 passwords serve two purposes: .. snip .. > > 2. they can be used to convince security auditors that the network is > secure and that they can now sod off and stop harassing me, kthxbai
+1 It isn't worth the time or effort trying to get an exception to their 'best practice'. Lee