Adam Rothschild wrote: Which begs the question, what is one to do, shy of moving (private) peering/transit/customer /31's and /30's into non-routable IP space, which opens up an entirely new can of worms?
Insist that the peer uses "ip verify unicast reverse-path" on all interfaces, or similar command for other vendors.
Fact of the matter is, MD5 computation/verification is not cheap, and many Cisco and Juniper platforms aren't designed to handle a barrage of MD5-hashed TCP packets. All things considered, I think MD5 authentication will lower the bar for attackers, not raise it. I'm sure code optimizations could fix things to some degree, but that's just not the case today.
Certainly the best reason not to MD5 I have heard so far.
Mikael Abrahamsson wrote: http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml This one seems much worse than the TCP RST problem.
Relatively easy to filter though. Michel.