North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: md5 for bgp tcp sessions

  • From: Eric Gauthier
  • Date: Thu Jun 23 10:00:44 2005


> eric, all, not to pick on eric at all, but since he raised the issue...

I always assume and, frankly hope, that when I post something someone will
pipe up and point out anything thats inaccurate, needs clarification,
is a bad idea, etc.

> > likely need to make modifications to our IGP/EGP setup.  Though we filter 
> > OSPF multicast traffic, we wanted to add in MD5 passwords to our
> > neighbors.
> just a quick comment here.  i would encourage you not to do that.  

Honestly, I completely agree with you that MD5'ing our OSPF adjacencies isn't
a great idea (I've so far stalled its roll-out).  I strongly argued against it 
internally.  There were, however, those in both the networking and security 
groups that were concerned about the OSPF vulnerabilities that were pointed 
out recently and were in favor of the MD5s as the mitigation method.  I used 
the discussion as a point in favor of moving to IS-IS because, since we don't
route CLNS on our campus, IS-IS would be more immune to that form of attack.  
I just noted the issue in my response because it was one of the reaons why
we're deciding to move from OSPF to IS-IS, rather than as a recommendation.

Thanks for pointing it out!

Eric :)