![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: Winstar says there is no TCP/BGP vulnerability
From: Rodney Joffe <rjoffe () centergate com>
Date: Tue, 20 Apr 2004 22:01:52 -0700
Joe, Joe Rhett wrote:
I've left your entire message below so that one can see I've removed nothing. Winstar has made NONE of the statements you are interpreting from their response. They have simply stated that they don't support it at this moment in time. I'll grant you that they could have answered "when" or "why" or "what else". But they certainly didn't say anything you are suggesting that they have said.
The only network engineer who may NOT have been aware of the building BGP vulnerability issue over the last week has to be the engineer who is currently on his annual vacation in Mauritius, and who refuses to take his Blackberry, Palm, or Satellite phone with him. And given the frantic activity by every single major backbone to protect their connections by DEMANDING MD5 authentication, I think it is disingenuous to suggest that a network like Winstar is merely saying "They don't support it at this time" because they haven't gotten round to it. They have to also be saying: 1) We don't believe there is any threat. 2) We don't want to set up MD5 because it is against our religion 3) We don't know *how* to set it up. 4) Our machines can't support setting up MD5. 5) Our network cannot support the outage as we bounce the session. 6) Our customers cannot accept the outage as we bounce the session 7) We're just thinking about it, and our planning process is taking a long time. 8) We don't care about customer needs, even customers who spend $200k a year with us. 9) We don't care about customers and I am sure there are a slew of other possibilities. But for a network provider to respond to a request from a large customer who asks that their peering session be authenticated by just responding "We don't use MD5 for peering currently" shows un unusually ballsy attitude. There is more to it. Absent a specific, I chose to assume the first option. I'm happy to hear Winstar's alternative. I'm also interested in hearing if Winstar provided the same response to the other big backbones? MCI, Sprint, AT&T, Level3, Verio, etc. It seems to me that causing resets regularly forces the router to churn, dealing with inserting routes into FIB, deleting routes from FIB, recalculate FIB. Wash, rinse, repeat. Miscreants have no interest in a single reset. And it won't take 200 seconds after the first reset. You probably won't get out of the first window. I stand by my first comment - Winstar doesn't believe that this is enough of a threat to even craft a professional response.
<joke>Should we ever meet, I'll remember to never turn down a beer. You might think I'm pro-prohibition or something...</joke>
No. If you were standing in the way of a scheduled trainwreck, and I tossed you a schedule, a map, fed you live video of the approaching train, and tossed you a lifeline, and you said you didn't believe there was any danger I'd have to wonder.
On Tue, Apr 20, 2004 at 01:44:44PM -0700, Rodney Joffe wrote:Perhaps we are all making too much of this... It appears that Winstar feels that there is no need for MD5 authentication of peering sessions. One of our customers has just had the following response from Winstar following a request to implement MD5 on their OC3 connection to Winstar. My first suggestion is to locate another upstream provider (they have 3 already). However, perhaps someone from Winstar would care to help us all understand what the alternative solution is to securing the session via MD5? I would *love* an alternative to the 5 days of work we've just gone through.-----Original Message----- From: Justin Crawford - NMCW Engineer [mailto:jcrawford () winstar net] Sent: Tuesday, April 20, 2004 11:13 AM To: xxxxxx Subject: Re: *****SPAM***** MD5 implimentation on BGP xxxxx, Winstar does not currently run MD5 authentication with our peers. Thanks Justin Thank you for your time and business Justin Crawford Winstar NMCW Ph: 206-xxx.xxxxHas anyone else run in to this with Winstar? -- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(SM)-- Joe Rhett Chief Geek JRhett () Isite Net Isite Services, Inc.
-- Rodney Joffe CenterGate Research Group, LLC. http://www.centergate.com "Technology so advanced, even we don't understand it!"(R)
Current thread:
- Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 20)
- Xspedius / E.Spire as wellRe: Winstar says there is no TCP/BGP vulnerability John Brown (CV) (Apr 20)
- Re: Xspedius / E.Spire as wellRe: Winstar says there is no TCP/BGP vulnerability Andy Dills (Apr 20)
- Re: Xspedius / E.Spire as wellRe: Winstar says there is no TCP/BGP vulnerability Richard A Steenbergen (Apr 20)
- Re: Xspedius / E.Spire as wellRe: Winstar says there is no TCP/BGP vulnerability Charles Sprickman (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Joe Rhett (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Dan Hollis (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability James (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability E.B. Dreger (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Pekka Savola (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability E.B. Dreger (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 20)
- Xspedius / E.Spire as wellRe: Winstar says there is no TCP/BGP vulnerability John Brown (CV) (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Joe Rhett (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Kevin Oberman (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 28)