On Jan 27, 2012, at 3:52 PM, Patrick W. Gilmore wrote: > Your network, your decision. On my network, we do not do MD5. We do more > traffic than anyone and have to be in the top 10 of total eBGP peering > sessions on the planet. Guess how many times we've seen anyone even attempt > this attack? If you guessed more than zero, guess again. > > I am fully well aware saying this in a public place means someone, probably > many someones, will try it now just to prove me wrong. I still don't care. > What does that tell you? > > STOP USING MD5 ON BGP.
I would generally say: If you are on a p2p link or control the network, then yeah, you don't need md5. If you are at a shared medium (e.g.: IX) I do recommend it there, as it will help mitigate cases where someone can hijack your session by putting your IP/ASN whatnot on the router. The threat (Attack) never became real and we've now had enough time that even the slowest carriers are running fixed code. - Jared
