"Dobbins, Roland" <[email protected]> writes: > On Sep 15, 2012, at 7:58 PM, Nick Hilliard wrote: > >> The general advice is still to use copp or acls to deprioritise unknown bgp >> traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise >> md5 is a matter of choice. Some people like it; others don't. > > Concur. > > There are no recorded instances of MD5 keying contributing to a DoS > in the wild, AFAIK. And of course if you use iACLs, CoPP, GTSM, you > therefore keep unwanted traffic off your session in the first place.
I agree - if unwanted traffic hits the control plane without being clamped down, you've lost the game in so many other ways... > MD5 keying is useful as a safeguard to make folks really think > before they bring up new peers. Sort of a last-ditch, "Are you > *really* use you want to do this, have you done everything else > necessary to secure and protect this new routing relationship?" Emphatically disagree. Optimize for technician brain cells (where Moore's Law does not apply). An extra knob, an extra data point to be collected, managed, (and possibly get wrong) as a proxy for "are you sure? [y/N]" is a huge step away from goodness. "The most reliable components are the ones you leave out." - C. Gordon Bell -r _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
