On 9 Mar 2012, at 22:24, Jay Hanke wrote: > How critical is BGP MD5 at Internet Exchange Points? Would lack of > support for MD5 authentication on route servers prevent some peers > from multilaterally connecting? Do most exchange operators support it?
At LONAP in London, the route-servers do not support TCP MD5 authentication for BGP. i don't think that this policy has led to anyone refusing to connect (about 80 of the 110 or so peers connected to the exchange use the Multilateral service - it is optional to connect to the MLP). We have no plans to enable TCP MD5 on this service. Because TCP MD5 packets touch a router's CPU, using MD5 introduces a new attack vector - see nanogii passim (e.g. http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf). Don't do it. :-) Andy
