Packet Clearing House has routers at a several exchange points, which we use to collect local snapshots of the routes available at the exchanges. To do this, we peer with as many of the participants at each exchange as possible. We're mainly just collecting data, so route flaps aren't a huge problem for us. We haven't been tracking down existing peers and asking them to configure MD5 passwords on the sessions. We have been configuring MD5 passwords on sessions when asked, so we've got MD5 configured with peers who have asked for it, but not with peers who haven't. As of Tuesday night, we had 244 peering sessions, of which 24 had MD5 configured. We configured MD5 on four more sessions yesterday, bringing the total to 28, and have one request that hasn't been completed yet, for a total of 29. 29 out of 244 is roughly 12%. I'm going to make two broad assumptions here: that those peers who have configured MD5 with us have configured MD5 with all their peers, and that those who haven't configured MD5 with us have been asked to by 12% of their peers. I'm further going to assume that peers consistently configure MD5 when asked to, although I suspect that's a really bad assumption. Therefore, we can assume that 12% of ISPs have all their peers configured with MD5, and that the remaining 88% have 12% of their peers configured with MD5, for a total of 22% of peering sessions having MD5 passwords. I strongly suspect my assumption about the responsiveness of peers is wrong, and that the real number is somewhere between 12% and 22%. It's also possible that my sample isn't representative enough, which would lead to further problems with accuracy. I'm curious as to what sorts of response rates those who have been actively contacting peers to ask for MD5 configuration have been getting, as well as whether other networks that have not been being proactive about this have been seeing contact rates similar to ours. -Steve Gibbard Packet Clearing House
On 06.05.2004 20:03 Steve Gibbard wrote:
I'm curious as to what sorts of response rates those who have been actively contacting peers to ask for MD5 configuration have been getting, as well as whether other networks that have not been being proactive about this have been seeing contact rates similar to ours.
At DE-CIX (www.de-cix.net) we have two route-servers (resilient setup). We were not really actively contacting peers (i.e. did not really press them to activate MD5). Our figures (counted per AS not per peering as we have double peerings both on our side as well as on customer side having two+ routers) are: 120 peerings 21 MD5 peerings ratio: 17.5% Better than expected. I told a friend that MD5 peerings would be <10%. Arnold
On May 6, 2004, at 2:42 PM, Arnold Nipper wrote:
On 06.05.2004 20:03 Steve Gibbard wrote:
I'm curious as to what sorts of response rates those who have been actively contacting peers to ask for MD5 configuration have been getting, as well as whether other networks that have not been being proactive about this have been seeing contact rates similar to ours.
At DE-CIX (www.de-cix.net) we have two route-servers (resilient setup). We were not really actively contacting peers (i.e. did not really press them to activate MD5).
Our figures (counted per AS not per peering as we have double peerings both on our side as well as on customer side having two+ routers) are:
120 peerings 21 MD5 peerings
ratio: 17.5%
Better than expected. I told a friend that MD5 peerings would be <10%.
Now I have been pretty vocal about the whole MD5 thing, but I have to say that route-servers are probably not the best indication of MD5-ness. Session which pass traffic get a little higher priority at most organizations. Unfortunately, my organization was not passive until we got to see what the threat actually was, so our numbers are not useful. Would any traffic-carrying-organization care to discuss their numbers? And anyone want to admit seeing an RST-style attack? Any attack which MD5 would have blocked? -- TTFN, patrick
On Thu, 6 May 2004 17:52:16 -0400 "Patrick W.Gilmore" <patrick@ianai.net> wrote:
Unfortunately, my organization was not passive until we got to see what the threat actually was, so our numbers are not useful. Would any traffic-carrying-organization care to discuss their numbers?
<http://www.cctec.com/maillists/nanog/historical/0109/msg01381.html> After that post, DePaul's peering sessions peaked at about 50. If I'm not mistaken, only 1 new peer would not do MD5. The number doing MD5 for the first time probably went up slightly as well. In the end, one of those organizations who wouldn't do MD5 is no longer in operation and another, well, I'm here now and that was something on my list of to-do's. :-) John
We requested md5 by emailing all our peers several weeks ago, responses have been steady. We have 49% of peering sessions MD5 (thats 43% counted by ASN) In general small ISPs and customers have been poor to respond with large ISPs and those operating ticket systems on their peering contact email being the best. We've had very few inbound requests for md5.. and of those that we had they tended to be from large ISPs. Steve On Thu, 6 May 2004, Steve Gibbard wrote:
Packet Clearing House has routers at a several exchange points, which we use to collect local snapshots of the routes available at the exchanges. To do this, we peer with as many of the participants at each exchange as possible. We're mainly just collecting data, so route flaps aren't a huge problem for us. We haven't been tracking down existing peers and asking them to configure MD5 passwords on the sessions. We have been configuring MD5 passwords on sessions when asked, so we've got MD5 configured with peers who have asked for it, but not with peers who haven't.
As of Tuesday night, we had 244 peering sessions, of which 24 had MD5 configured. We configured MD5 on four more sessions yesterday, bringing the total to 28, and have one request that hasn't been completed yet, for a total of 29.
29 out of 244 is roughly 12%.
I'm going to make two broad assumptions here: that those peers who have configured MD5 with us have configured MD5 with all their peers, and that those who haven't configured MD5 with us have been asked to by 12% of their peers. I'm further going to assume that peers consistently configure MD5 when asked to, although I suspect that's a really bad assumption.
Therefore, we can assume that 12% of ISPs have all their peers configured with MD5, and that the remaining 88% have 12% of their peers configured with MD5, for a total of 22% of peering sessions having MD5 passwords.
I strongly suspect my assumption about the responsiveness of peers is wrong, and that the real number is somewhere between 12% and 22%. It's also possible that my sample isn't representative enough, which would lead to further problems with accuracy.
I'm curious as to what sorts of response rates those who have been actively contacting peers to ask for MD5 configuration have been getting, as well as whether other networks that have not been being proactive about this have been seeing contact rates similar to ours.
-Steve Gibbard Packet Clearing House
participants (5)
-
Arnold Nipper -
John Kristoff -
Patrick W.Gilmore -
Stephen J. Wilcox -
Steve Gibbard