nanog mailing list archives
Alternatives to MD5 [Re: Winstar says there is no TCP/BGP vulnerability]
From: Pekka Savola <pekkas () netcore fi>
Date: Wed, 21 Apr 2004 09:25:14 +0300 (EEST)
On Tue, 20 Apr 2004, Rodney Joffe wrote:
However, perhaps someone from Winstar would care to help us all understand what the alternative solution is to securing the session via MD5? I would *love* an alternative to the 5 days of work we've just gone through.
1) Deploy correct ingress/egress filtering at all of your edges, and 2) Make sure your upstreams/peers do that as well at least for the p-t-p prefixes you use between you and them. If you can't assume 2), you need something like GTSM or MD5 for the BGP sessions between you and your peers/upstreams. Note that I assume that if customers don't do ingress/egress filtering for their p-t-p prefixes, they are shooting themselves in the foot, and are the only people suffering from the resets. Similar techniques as mentioned in the previous paragraph could be applied as well, of course. That is, a thing most people seem to be forgetting that for these TCP packets to be processed, they must be spoofed to come from a certain source IP address. If packets spoofed from that address are summarily discarded at appropriate places before reaching the infrastructure, you're pretty much safe. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
Current thread:
- Re: Winstar says there is no TCP/BGP vulnerability, (continued)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Dan Hollis (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability James (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability E.B. Dreger (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Pekka Savola (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability E.B. Dreger (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Joe Rhett (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Kevin Oberman (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability Rodney Joffe (Apr 28)
- Re: Winstar says there is no TCP/BGP vulnerability James (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Deepak Jain (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability James (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Dan Hollis (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Daniel Senie (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 22)