nanog mailing list archives
Re: MD5 for TCP/BGP Sessions
From: vijay gill <vgill () vijaygill com>
Date: Wed, 30 Mar 2005 18:52:26 -0500
Stephen J. Wilcox wrote:
without wishing to repeat what can be googled for.. putting acls on your edge to protect your ebgp sessions wont work for obvious reasons -- to spoof data and disrupt a session you have to spoof the srcip which of course the acl will allow in
This is why you either have a stateful firewall in your router that pushes a dynamic acl down to the linecard (or equivalent forwarding place where the for_us vs through_us decision is made), and filter it there. That makes guessing the correct 5 tuple a bit harder. Obviously GTSM is the closest we have yet to hardening (note I did not use securing) the session.
On average, the stateful filter will cause the attacker to to try 32000 times to find correct 4-tuple. Conversely, attacker resources will need to be on average 32000 times greater to adversely affect a router. The cost of attacking infrastructure has risen, but the cost to defender is minor.
Each configured BGP session already has all the state needed above to populate the filter.
/vijay
Current thread:
- MD5 for TCP/BGP Sessions Doug Legge (Mar 30)
- Re: MD5 for TCP/BGP Sessions John Kristoff (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Stephen J. Wilcox (Mar 30)
- Re: MD5 for TCP/BGP Sessions vijay gill (Mar 30)
- Re: MD5 for TCP/BGP Sessions Christopher L. Morrow (Mar 30)
- Re: MD5 for TCP/BGP Sessions vijay gill (Mar 30)
- Re: MD5 for TCP/BGP Sessions Christopher L. Morrow (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Stephen J. Wilcox (Mar 31)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 31)
- Re: MD5 for TCP/BGP Sessions Eduardo Ascenco Reis (Mar 31)
- Re: MD5 for TCP/BGP Sessions John Kristoff (Mar 30)