On Tue, 20 Apr 2004, Michel Py wrote:
Now, the dumb question: Given: 1) The context above especially item b 2) Christopher Morrow's comments below Explain me what having or not having the MD5 password changes. Either you're small and/or stupid and do it manually, or you have an automated system that does it for you.
I wasn't clear and for that I'm sorry. Except in the later code trains, or until the recent past (1 year or so) changing the BGP MD5 auth bits required the session to be reset. Changing your route-map or access-list or prefix-list will not reset the session... Having to reset sessions to change 'vital' security parameters seems like a large problem. So, given this operational headache MD5 auth just doesn't get rolled out, or when it does, sessions never get their auth info changed. (in practice) Atleast in more current code and now in 12.0.SOMETHING-S code you can both change on the fly and have 'fall back' key capability. This makes this pain less and makes operational pain with md5 less as well.
Christopher L. Morrow wrote: there is the issue of changing the keys during operations without impacting the network, eh? Having to bounce every bgp session in your network can be pretty darned painful... if you change the key(s) of course.
See above: Changing the route-map is equally painful.
no, removing a route-map or adding a new one is painful, changing it is just normal, no bounce required.
If you don't you might as well not have keys, since adding the 3 lines of C code required to Paul Watsons' program making it do the hashing certainly won't be a big deal, eh?
I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below
me too, I'm a chemical engineer... :)
"enable-password 7 " for each peer (which requires recompiling, how annoying) would you care sharing the 3 said lines for the code below :-)
wrong program, I was referring to his reset_tcp.c program, which would only need: 1) your key as a input in argv 2) the requisite option added to the tcp header 3) the hash function applied to the resultant packet before generation and output. so, 3 pseudo-code lines... my point here is that the MD5 auth is only as good as your passwd security, and change procedures. Remember that once you put the passwd in the config it's exposed and the next NOC engineer that leaves will have a copy emailed to his home email account before he stomps out :(