nanog mailing list archives

Re: BCP38 making it work, solving problems


From: "David G. Andersen" <dga () lcs mit edu>
Date: Tue, 19 Oct 2004 13:20:08 -0400


On Tue, Oct 19, 2004 at 07:14:32PM +0200, JP Velders scribed:

Date: Tue, 19 Oct 2004 09:21:46 -0700
From: Randy Bush <randy () psg com>
Subject: Re: BCP38 making it work, solving problems

For example, how many ISPs use TCP MD5 to limit the possibility of a
BGP/TCP connection getting hijacked or disrupted by a ddos attack?

i hope none use it for the latter, as it will not help.  more and
more use it for the former.  why?  becuase they perceived the need
to solve an immediate problem, a weakness in a vendor's code.

Uhm, you might need to run that by me again...

Hijacking the connection is in a completely different class as someone
bombarding you with a bunch of forged BGP packets to close down a
session. Without that MD5 checksum you are quite vulnerable to that. I
haven't seen a vendor come up with a solution to that, because the
problem is on a much more vendor-neutral level...

  Unless you're worried about an adversary who taps into your 
fiber, how is MD5 checksums any better than anti spoofing filters
that protect your BGP peering sessions?  The only benefit I see is
that you can actually verify that your peer is using md5 checksums,
instead of having to take them on faith that they won't permit
someone to spoof their router's address.

  -Dave

-- 
work: dga () lcs mit edu                          me:  dga () pobox com
      MIT Laboratory for Computer Science           http://www.angio.net/


Current thread: