On 17/12/15 13:51, Matthew Walster wrote:
3. TCP MD5 for BGP. They say it's not cryptographically secure, then go on to say you should use a strong password. Which? How about just using the MD5 password as a prevention of fat-finger incidents as I imagine 90% of people do (the rest assuming that it provides a level of security it doesn't provide)?
It was designed to provide some measure of integrity at a time when neither TCP AO nor IPSEC AH existed, and when TCP ISN sequence number guessing was a 0-day exploit. It operates at TCP segment level and isn't optional on that basis once negotiated and turned on. (I should know, I wrote the FreeBSD version in 2004).
