Better visibility into packet-dropping decisions

I do understand you. When a new session is agreed with a party, a password is provided together with IP and AS number. Even md5 is considered hopelessly broken, for the sake of RST protection it is more than enough, because even 32 additional bits pushes attack from `feasible` to `unfeasible` realm.

Even using a silly MD5 password is worthwhile, since the spray of failed MD5 packets (and thus log messages) prior to the BGP connection reset make it plain that the cause is network abuse.
Cynically, if the BGP connection isn't using a long, random, unique key prior to that outage, then it will be afterwards :-)

Linux counting failed MD5 packets is excellent, as network operators investigating BGP connection issues can check that the counter is the expected zero.

For the longest time vendors were promoting IPsec as the replacement for the TCP MD5 option, but operationally the overhead of configuration and customer education was too high. More recently TCP-AO (Authentication Option) offers a similar mechanism to the MD5 option, but with modern cyrptographic algorithms.

For external BGP connections the TTL security check also offers good protection from network abuse. Customers generally seem to be able to configure that without much difficulty.