Peering at public exchange authentication

Hello all,

Wondering your views or common practices for using authentication via BGP at public exchange locations.

Just for example, lets say you peer with 5 people in the TELX in Atlanta, do you require them to all use authentication for the BGP session?

Ive seem some use it and some not use it, is it just a preference?

MD5 on BGP Considered Harmful

Its up to you and how you want to manage your sessions. Some networks
require it, some prefer it but do not require it, and others do not want to
use it at all.

Hi Craig,

It may be simplest to use GTSM

Kind regards,


Almost all good and popular peering points utilize MAC locks on ports for
all peers. (With few exceptions. ) To hijack a bgp session one would need
not only a port on the peering network but a MAC address registered with
the peering network - or their packets won't transverse the port through
the switches to your port.

So the extra CPU load of MD5, in my opinon, is a waste on an peering edge
router with many peers. With lots of peers on a router - all the timing
and table building after a needed maintenance reboot could lead to table
building slowness and establishment timing sluggishness issues (depending
on the router of course).

If a peering network doesn't lock most all participants (and any router
servers they have) by the MAC of the peering device I won't be a

All that said - I know of a way a customer of a network can create havoc
by using a device/router that allows the MAC to be modified like a
variable. However, for the most part that havoc would be limited to that
network that hacking customer is located on. This would also be a truly
rare event as there needs to be something the network also allowed for the
customer to get routable layer 2 access to the peering port.

Bob Evans

Talks about GSRs and Sup720's, but still relevant today.