MD5 proliferation statistics

Mailman List Mirror (Read Only)
1

Packet Clearing House has routers at a several exchange points, which we
use to collect local snapshots of the routes available at the exchanges.
To do this, we peer with as many of the participants at each exchange as
possible. We're mainly just collecting data, so route flaps aren't a huge
problem for us. We haven't been tracking down existing peers and asking
them to configure MD5 passwords on the sessions. We have been configuring
MD5 passwords on sessions when asked, so we've got MD5 configured with
peers who have asked for it, but not with peers who haven't.

As of Tuesday night, we had 244 peering sessions, of which 24 had MD5
configured. We configured MD5 on four more sessions yesterday, bringing
the total to 28, and have one request that hasn't been completed yet, for
a total of 29.

29 out of 244 is roughly 12%.

I'm going to make two broad assumptions here: that those peers who have
configured MD5 with us have configured MD5 with all their peers, and that
those who haven't configured MD5 with us have been asked to by 12% of
their peers. I'm further going to assume that peers consistently
configure MD5 when asked to, although I suspect that's a really bad
assumption.

Therefore, we can assume that 12% of ISPs have all their peers configured
with MD5, and that the remaining 88% have 12% of their peers configured
with MD5, for a total of 22% of peering sessions having MD5 passwords.

I strongly suspect my assumption about the responsiveness of peers is
wrong, and that the real number is somewhere between 12% and 22%. It's
also possible that my sample isn't representative enough, which would lead
to further problems with accuracy.

I'm curious as to what sorts of response rates those who have been
actively contacting peers to ask for MD5 configuration have been getting,
as well as whether other networks that have not been being proactive about
this have been seeing contact rates similar to ours.

-Steve Gibbard
Packet Clearing House

2

At DE-CIX (www.de-cix.net) we have two route-servers (resilient setup).
We were not really actively contacting peers (i.e. did not really press
them to activate MD5).

Our figures (counted per AS not per peering as we have double peerings
both on our side as well as on customer side having two+ routers) are:

120 peerings
  21 MD5 peerings

ratio: 17.5%

Better than expected. I told a friend that MD5 peerings would be <10%.

Arnold

3

Now I have been pretty vocal about the whole MD5 thing, but I have to say that route-servers are probably not the best indication of MD5-ness. Session which pass traffic get a little higher priority at most organizations.

Unfortunately, my organization was not passive until we got to see what the threat actually was, so our numbers are not useful. Would any traffic-carrying-organization care to discuss their numbers?

And anyone want to admit seeing an RST-style attack? Any attack which MD5 would have blocked?

4

We requested md5 by emailing all our peers several weeks ago, responses have
been steady.

We have 49% of peering sessions MD5 (thats 43% counted by ASN)

In general small ISPs and customers have been poor to respond with large ISPs
and those operating ticket systems on their peering contact email being the
best.

We've had very few inbound requests for md5.. and of those that we had they
tended to be from large ISPs.

Steve

5

<http://www.cctec.com/maillists/nanog/historical/0109/msg01381.html>

After that post, DePaul's peering sessions peaked at about 50. If I'm
not mistaken, only 1 new peer would not do MD5. The number doing MD5
for the first time probably went up slightly as well. In the end, one
of those organizations who wouldn't do MD5 is no longer in operation
and another, well, I'm here now and that was something on my list of
to-do's. :slight_smile:

John