Re: BGP MD5 at IXP

2012-03-11 Thread Nick Hilliard
On 10/03/2012 11:24, Robert E. Seastrom wrote: > Hopefully your modern exchange point router has some sort of control > plane policing. My gut feeling is that lots don't. The behaviour of various operating systems regarding MD5 processing is interesting. *BSD (and I assume consequently junos) ch

Re: BGP MD5 at IXP

2012-03-10 Thread Robert E. Seastrom
Andy Davidson writes: > Because TCP MD5 packets touch a router's CPU, using MD5 introduces a > new attack vector - see nanogii passim > (e.g. http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf). > Don't do it. :-) Tom's slide deck is often misinterpreted - the salient parts are on p

Re: BGP MD5 at IXP

2012-03-10 Thread Andy Davidson
On 9 Mar 2012, at 22:24, Jay Hanke wrote: > How critical is BGP MD5 at Internet Exchange Points? Would lack of > support for MD5 authentication on route servers prevent some peers > from multilaterally connecting? Do most exchange operators support it? At LONAP in London, the route-servers do no

Re: BGP MD5 at IXP

2012-03-09 Thread Patrick W. Gilmore
On Mar 9, 2012, at 17:24 , Jay Hanke wrote: > How critical is BGP MD5 at Internet Exchange Points? Would lack of > support for MD5 authentication on route servers prevent some peers > from multilaterally connecting? Do most exchange operators support it?

BGP MD5 at IXP

2012-03-09 Thread Jay Hanke
How critical is BGP MD5 at Internet Exchange Points? Would lack of support for MD5 authentication on route servers prevent some peers from multilaterally connecting? Do most exchange operators support it? Thanks! Jay