Re: MD5 in BGP4

[Danny McPherson <danny () tcb net>]

> It's is a kind of useless things. If you allow spoofing.,
> you are voluranable to the DoS attacks against BGP; if you 
> are not, no need to use MD5 for BGP.

Actually, I can think of more than a few configurations
where this isn't true.  For example, shared-media exchange 
points where multiple networks reside on a single segment
and eBGP peer using the address of the segment.  The IP
network number is associated only with the interface, 
there's no individual hardware/IP address relationship 
relative to anti-spoofing here.

> And DoS attack is the reality, not BGP spoofings (may be
>  you know any such case? I do not know any).

Agreed, it's purpose is more so to protect against DoS
type stuff at the TCP layer.

> For IS-IS and OSPF, just other matter. They are working 
> over the LAN, and customers and internal users are often 
> plugged into this network. So, authentication is necessary 
> to prevent both errors and intrusions (and the anty-error 
> measures are much more inmportant in such  networks).

However, I think we'd both agree that a configuration such 
as this (IGP being enabled on customer facing interfaces)
is ill-advised.

> Just again, I know a lot of cases when IGP was broken
> by error (someone installed new server and turned OSPF 
> on), but I does not know any attacks of this kind (but 
> I believe there are such cases for IGP protocols). Throgh,
> to defent against such attacks originated from IGP, you
> need a lot of things be used (non Redirect, static ARYP,
> etc etc).

Agreed.

-danny