Almost all good and popular peering points utilize MAC locks on ports for all peers. (With few exceptions. ) To hijack a bgp session one would need not only a port on the peering network but a MAC address registered with the peering network - or their packets won't transverse the port through the switches to your port.
So the extra CPU load of MD5, in my opinon, is a waste on an peering edge router with many peers. With lots of peers on a router - all the timing and table building after a needed maintenance reboot could lead to table building slowness and establishment timing sluggishness issues (depending on the router of course). If a peering network doesn't lock most all participants (and any router servers they have) by the MAC of the peering device I won't be a participant. All that said - I know of a way a customer of a network can create havoc by using a device/router that allows the MAC to be modified like a variable. However, for the most part that havoc would be limited to that network that hacking customer is located on. This would also be a truly rare event as there needs to be something the network also allowed for the customer to get routable layer 2 access to the peering port. Bob Evans CTO > MD5 on BGP Considered Harmful > > -- > TTFN, > patrick > > Composed on a virtual keyboard, please forgive typos. > > >> On Sep 29, 2017, at 13:41, craig washington >> <craigwashingto...@hotmail.com> wrote: >> >> Hello all, >> >> >> Wondering your views or common practices for using authentication via >> BGP at public exchange locations. >> >> Just for example, lets say you peer with 5 people in the TELX in >> Atlanta, do you require them to all use authentication for the BGP >> session? >> >> Ive seem some use it and some not use it, is it just a preference? >
