On Thu, 6 Jan 2011, Dobbins, Roland wrote:
I'll buy that - but since I've yet to see/posit a practical attack on MD5-based IGP authentication, and since if an attacker has enough access to one's network infrastructure to play games with one's IGP, IGP authentication ought to be the least of one's worries, I somehow doubt it's worth the added complexity.
It's usually not about intentional attacks, it's also about unintentional consequences of mistakes.
I've for instance seen mispatching of OC192 links from a DWDM provider soour OC192 interface all of a suddent was connected to another ISPs OC192 interface.
I think it's a mistake of people implementing IPv6 protocols to design them so that they have to rely on IPSEC for their authentication/encryption, at least initially when IPSEC support seems to be quite incomplete for platforms.
Short, not adding MD5 support in OSPFv3 was a design mistake, I'm sure it looked good on paper but it's not good in real life.
-- Mikael Abrahamsson email: swm...@swm.pp.se _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
