On 1/27/12 12:35 , Christopher Morrow wrote:
On Fri, Jan 27, 2012 at 3:32 PM, Jon Lewis <jlewis@lewis.org> wrote:
On Fri, 27 Jan 2012, Christopher Morrow wrote:
lots of folks still use it yes. is it helpful? maybe? maybe not? is this peering over a shared media (like a 10base-T hub).
You might point out that you'll be enabling this, then promptly writing the 'secret' on a large whiteboard in your noc... because chances are the config won't include it in rancid and ... you don't have a place to store these securely that's not prone also to outages :(
also, customers wander through your NOC, so...
All that may be true, but still, the random hacker in Romania who wants in on their BGP session won't know the secret...probably.
1) that person doesn't exist 2) they need a LOT more info about what's going on anyway 3) I bet they will get a copy of the config from at least: a) vendor data sources b) ebay purchases of gear c) pwning a noc-worker and getting things done from there.
There are far better ways to skin this cat.
I don't think md5 is that great, but I absolutely wouldn't use a clear text password if I'm going to use anything at all. I don't think shared seceret management is dramatically harder than any other form of of configuration management, modula rekeying requires coordination with a third party and is therefore hard. joel