Almost all good and popular peering points utilize MAC locks on ports for all peers. (With few exceptions. ) To hijack a bgp session one would need not only a port on the peering network but a MAC address registered with the peering network - or their packets won't transverse the port through the switches to your port. So the extra CPU load of MD5, in my opinon, is a waste on an peering edge router with many peers. With lots of peers on a router - all the timing and table building after a needed maintenance reboot could lead to table building slowness and establishment timing sluggishness issues (depending on the router of course). If a peering network doesn't lock most all participants (and any router servers they have) by the MAC of the peering device I won't be a participant. All that said - I know of a way a customer of a network can create havoc by using a device/router that allows the MAC to be modified like a variable. However, for the most part that havoc would be limited to that network that hacking customer is located on. This would also be a truly rare event as there needs to be something the network also allowed for the customer to get routable layer 2 access to the peering port. Bob Evans CTO
MD5 on BGP Considered Harmful
-- TTFN, patrick
Composed on a virtual keyboard, please forgive typos.
On Sep 29, 2017, at 13:41, craig washington <craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?