Re: Peering at public exchange authentication

2017-09-30 Thread Dave Temkin 
Talks about GSRs and Sup720's, but still relevant today.
https://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf

-Dave

On Fri, Sep 29, 2017 at 11:05 AM, BRAD RAYMO  wrote:

> Its up to you and how you want to manage your sessions. Some networks
> require it, some prefer it but do not require it, and others do not want to
> use it at all.
>
> On Fri, Sep 29, 2017 at 10:41 AM, craig washington <
> craigwashingto...@hotmail.com> wrote:
>
> > Hello all,
> >
> >
> > Wondering your views or common practices for using authentication via BGP
> > at public exchange locations.
> >
> > Just for example, lets say you peer with 5 people in the TELX in Atlanta,
> > do you require them to all use authentication for the BGP session?
> >
> > Ive seem some use it and some not use it, is it just a preference?
> >
> >
>

Re: Peering at public exchange authentication

2017-09-29 Thread BRAD RAYMO 
Its up to you and how you want to manage your sessions. Some networks
require it, some prefer it but do not require it, and others do not want to
use it at all.

On Fri, Sep 29, 2017 at 10:41 AM, craig washington <
craigwashingto...@hotmail.com> wrote:

> Hello all,
>
>
> Wondering your views or common practices for using authentication via BGP
> at public exchange locations.
>
> Just for example, lets say you peer with 5 people in the TELX in Atlanta,
> do you require them to all use authentication for the BGP session?
>
> Ive seem some use it and some not use it, is it just a preference?
>
>

Re: Peering at public exchange authentication

2017-09-29 Thread Bob Evans 
Almost all good and popular peering points utilize MAC locks on ports for
all peers. (With few exceptions. )  To hijack a bgp session one would need
not only a port on the peering network but a MAC address registered with
the peering network - or their packets won't transverse the port through
the switches to your port.

So the extra CPU load of MD5, in my opinon, is a waste on an peering edge
router with many peers. With lots of peers on a router - all the timing
and table building after a needed maintenance reboot could lead to table
building slowness and establishment timing sluggishness issues (depending
on the router of course).

If a peering network doesn't lock most all participants (and any router
servers they have) by the MAC of the peering device I won't be a
participant.

All that said - I know of a way a customer of a network can create havoc
by using a device/router that allows the MAC to be modified like a
variable. However, for the most part that havoc would be limited to that
network that hacking customer is located on. This would also be a truly
rare event as there needs to be something the network also allowed for the
customer to get routable layer 2 access to the peering port.

Bob Evans
CTO




> MD5 on BGP Considered Harmful
>
> --
> TTFN,
> patrick
>
> Composed on a virtual keyboard, please forgive typos.
>
>
>> On Sep 29, 2017, at 13:41, craig washington
>>  wrote:
>>
>> Hello all,
>>
>>
>> Wondering your views or common practices for using authentication via
>> BGP at public exchange locations.
>>
>> Just for example, lets say you peer with 5 people in the TELX in
>> Atlanta, do you require them to all use authentication for the BGP
>> session?
>>
>> Ive seem some use it and some not use it, is it just a preference?
>

Re: Peering at public exchange authentication

2017-09-29 Thread Job Snijders 
Hi Craig,

It may be simplest to use GTSM https://tools.ietf.org/html/rfc5082

Kind regards,

Job

On Fri, Sep 29, 2017 at 10:41 AM, craig washington
 wrote:
> Hello all,
>
>
> Wondering your views or common practices for using authentication via BGP at 
> public exchange locations.
>
> Just for example, lets say you peer with 5 people in the TELX in Atlanta, do 
> you require them to all use authentication for the BGP session?
>
> Ive seem some use it and some not use it, is it just a preference?
>

Re: Peering at public exchange authentication

2017-09-29 Thread Patrick W. Gilmore 
MD5 on BGP Considered Harmful

-- 
TTFN,
patrick

Composed on a virtual keyboard, please forgive typos. 


> On Sep 29, 2017, at 13:41, craig washington  
> wrote:
> 
> Hello all,
> 
> 
> Wondering your views or common practices for using authentication via BGP at 
> public exchange locations.
> 
> Just for example, lets say you peer with 5 people in the TELX in Atlanta, do 
> you require them to all use authentication for the BGP session?
> 
> Ive seem some use it and some not use it, is it just a preference?

Peering at public exchange authentication

2017-09-29 Thread craig washington 
Hello all,


Wondering your views or common practices for using authentication via BGP at 
public exchange locations.

Just for example, lets say you peer with 5 people in the TELX in Atlanta, do 
you require them to all use authentication for the BGP session?

Ive seem some use it and some not use it, is it just a preference?