18 Nov
2018
18 Nov
'18
10:38 a.m.
On 18/Nov/18 13:13, Nick Hilliard wrote:
one of the few uses for tcp/md5 protection on bgp sessions can be found at IXPs where if you have an participant leaving the fabric, there will often be leftover bgp sessions configured on other routers on the exchange. Pre-configuring MD5 on BGP sessions will ensure that these cannot be used to spoof connectivity to the old network.
Except that exchange point members are notorious for not liking session MD5 protection in the interest of keeping deployment simple. We made it mandatory for peers 6 years ago. We had to loosen our stance a year later :-). Mark.