nanog mailing list archives
Re: MD5 in BGP4
From: "Kevin Oberman" <oberman () es net>
Date: Wed, 12 Jul 2000 08:39:47 -0700
Date: Wed, 12 Jul 2000 08:26:56 -0400 From: "HANSEN CHAN" <hansen.chan () alcatel com> Sender: owner-nanog () merit edu Hi folks, I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be more concerned the session being hijacked when talking to another network?
I'll take a crack at this, I guess. OSPF and most (all?) other IP based routing protocols broadcast and flood data. This make it pretty easy for someone to simply send out a spoofed packet and have it believed by on or more routers. BGP is a TCP based protocol and is normally run only to an adjacent peer. This combination makes it very hard to break into. You have to have another system on the shared media send a spoofed packet with bogus information that fits the TCP stream and the BGP status for that peering (and many BGP connections are point-to-point, making even this impossible). Multi-hop BGP is a different beast and much more likely to be subject to attack, but it's also pretty rare and such an attack would still be very difficult. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman () es net Phone: +1 510 486-8634
Current thread:
- MD5 in BGP4 HANSEN CHAN (Jul 12)
- Re: MD5 in BGP4 Damon M. Conway (Jul 12)
- Re: MD5 in BGP4 Kevin Oberman (Jul 12)
- Re: MD5 in BGP4 Jared Mauch (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- <Possible follow-ups>
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Shane Wright (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Dan Debertin (Jul 12)
(Thread continues...)