Peering at public exchange authentication
Hello all, Wondering your views or common practices for using authentication via BGP at public exchange locations. Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session? Ive seem some use it and some not use it, is it just a preference?
MD5 on BGP Considered Harmful -- TTFN, patrick Composed on a virtual keyboard, please forgive typos.
On Sep 29, 2017, at 13:41, craig washington <craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?
Almost all good and popular peering points utilize MAC locks on ports for all peers. (With few exceptions. ) To hijack a bgp session one would need not only a port on the peering network but a MAC address registered with the peering network - or their packets won't transverse the port through the switches to your port. So the extra CPU load of MD5, in my opinon, is a waste on an peering edge router with many peers. With lots of peers on a router - all the timing and table building after a needed maintenance reboot could lead to table building slowness and establishment timing sluggishness issues (depending on the router of course). If a peering network doesn't lock most all participants (and any router servers they have) by the MAC of the peering device I won't be a participant. All that said - I know of a way a customer of a network can create havoc by using a device/router that allows the MAC to be modified like a variable. However, for the most part that havoc would be limited to that network that hacking customer is located on. This would also be a truly rare event as there needs to be something the network also allowed for the customer to get routable layer 2 access to the peering port. Bob Evans CTO
MD5 on BGP Considered Harmful
-- TTFN, patrick
Composed on a virtual keyboard, please forgive typos.
On Sep 29, 2017, at 13:41, craig washington <craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?
Its up to you and how you want to manage your sessions. Some networks require it, some prefer it but do not require it, and others do not want to use it at all. On Fri, Sep 29, 2017 at 10:41 AM, craig washington < craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?
Talks about GSRs and Sup720's, but still relevant today. https://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf -Dave On Fri, Sep 29, 2017 at 11:05 AM, BRAD RAYMO <brad.raymo@gmail.com> wrote:
Its up to you and how you want to manage your sessions. Some networks require it, some prefer it but do not require it, and others do not want to use it at all.
On Fri, Sep 29, 2017 at 10:41 AM, craig washington < craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?
Hi Craig, It may be simplest to use GTSM https://tools.ietf.org/html/rfc5082 Kind regards, Job On Fri, Sep 29, 2017 at 10:41 AM, craig washington <craigwashington01@hotmail.com> wrote:
Hello all,
Wondering your views or common practices for using authentication via BGP at public exchange locations.
Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?
Ive seem some use it and some not use it, is it just a preference?
participants (6)
-
Bob Evans -
BRAD RAYMO -
craig washington -
Dave Temkin -
Job Snijders -
Patrick W. Gilmore