|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: md5 for bgp tcp sessions
Todd, > eric, all, not to pick on eric at all, but since he raised the issue... I always assume and, frankly hope, that when I post something someone will pipe up and point out anything thats inaccurate, needs clarification, is a bad idea, etc. > > likely need to make modifications to our IGP/EGP setup. Though we filter > > OSPF multicast traffic, we wanted to add in MD5 passwords to our > > neighbors. > > just a quick comment here. i would encourage you not to do that. Honestly, I completely agree with you that MD5'ing our OSPF adjacencies isn't a great idea (I've so far stalled its roll-out). I strongly argued against it internally. There were, however, those in both the networking and security groups that were concerned about the OSPF vulnerabilities that were pointed out recently and were in favor of the MD5s as the mitigation method. I used the discussion as a point in favor of moving to IS-IS because, since we don't route CLNS on our campus, IS-IS would be more immune to that form of attack. I just noted the issue in my response because it was one of the reaons why we're deciding to move from OSPF to IS-IS, rather than as a recommendation. Thanks for pointing it out! Eric :)
|