|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Results of query on auth usage
I received 20 responses which isn't exactly overwhelming :-). All of the responses included usage information for eBGP-MD5 and a few provided information on MD5 for interior protocols. In addition to these 20 I also received a few more with commentary. Conclusion from these messages? + only 2 required their peers to use eBGP-MD5 + many wanted to use it but peers either refused or didn't know how + some issues concerning whether this protects you from any "real" threat So, there you have it. Below are the breakouts and miscellaneous remarks that were included in the email I received. Thanks to all of you who took the time to send me something. Barb ================================== eBGP-MD5 use 2 responded that they used it and required it of all peers 12 others replied they used BGP-MD5 whenever their peers supported it 1 replied they use it only when required by a peer 5 said they do not use it Specific usage comments: Out of 100+ peers, only 1 requires it I use MD5 with BGP where I can, but <ISP> told me they don't support it so I'm limited in where I can deploy. 1 out of 25+ peers supports it 1 or 2 out of the 80+ eBGP sessions support it 2 out of 200 eBGP sessions support it iBGP/OSPF/ISIS with MD5 2 reported using this but were in the 5 above that don't use eBGP-MD5 4 others reported using this as well as eBGP-MD5 no reports of using ISIS w MD5 1 said they do not use it Miscellaneous comments: + For the most part, the greater vulnerability (still not well-understood by the script-kiddie community, thankfully) is probably a simple DoS of the appropriate listening port for the routing protocol. + It is our belief that it is highly unlikely that someone would have into your network to inject erroneous route advertisements. + The most difficult challenge I face there is convincing people of the "need" with the lack of a published exploit that the MD5 authentication would prevent. + Despite all the whining about the potential for an attack, I'm not aware of anyone having actually done so. Routers are notoriously under-CPU'd, and I think most engineers would rather have routes converge 30% faster than protect against an attack noone has ever done. + no hacker could figure out how to get into the infrastructure far enough to attack that so it's not worth attacking +.It is very hard for a big provider to change their procedure for setting up MD5 authentication + Some ISPs are practically religious about using them, usually the result of a single person at the ISP pushing it. + On a case by case basis you can get most ISPs to setup MD5 on your particular BGP session, once you found the right engineer. + The person at the other end didn't know how to enable it so you couldn't do it + As far as internal IGP (OSPF) MD5 authentication, I was always a little leary of using it because I wasn't comfortable with key rollover when you approached the maximum number of key-id's, (I believe it was 255). At that point, you're forced to take a hit when you have to remove the key entirely and start from a low integer value key-id. Had that limitation not been there, I would've deployed IGP MD5 authentication.
|