nanog mailing list archives
Re: MD5 in BGP4
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 12 Jul 2000 14:06:21 -0400
In message <200007121609.KAA09225 () tcb net>, Danny McPherson writes:
The primary goal of the BGP MD5 signature option is to protect the TCP substrate from introduction of spoofed TCP segments such a TCP RSTs. These segments could easily be injected from anywhere on the Internet. Lots of service providers employ the TCP MD5 signature option stuff to protect both internal and external BGP sessions in their networks. It really doesn't matter if the neighbors are directly connected or not, BGP rides on IP and is therefore vulnerable to "packet bombs" and the like from anywhere, regardless of whether the peer is internal, external or external multi-hop. Expoliting such a vulernability is trivial, actually, in any of these configurations. All one needs to know is a tiny amount of information associated with the BGP session. Though MD5 clearly isn't perfect, it does make is considerably more difficult. Using MD5 stuff with IP-based protocols such as BGP & OSPF is strongly advised. Obviously, IS-IS and similar protocols are less vulnerable.
Right. To learn how to hijack a TCP session, see @inproceedings{hijack, title = {A Simple Active Attack Against {TCP}}, author = {Laurent Joncheray}, year = 1995, booktitle = {Proceedings of the Fifth Usenix \Unix\ Security Symposium}, address = {Salt Lake City, UT} } IPsec protection is even stronger than the MD5 signature option described in RFC 2385, but 2385 if *far* better than nothing. (Btw -- since 2385 requires a TCP option, it's implemented in the stack, and not at application level.) --Steve Bellovin
Current thread:
- Re: MD5 in BGP4, (continued)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Shane Wright (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Dan Debertin (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Steven M. Bellovin (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)