nanog mailing list archives
Re: tcp md5 bgp attacks?
From: Fred Baker <fredbaker.ietf () gmail com>
Date: Tue, 14 Aug 2018 16:34:11 -0700
Well, think about RST attacks, in which someone bombards a TCP connection with TCP RESET in the hopes of threading a needle and taking it down. It's not the end of the world - BGP restarts - but there is an outage. The simplest way to protect against that (and against having someone with a hijacked IP address connect to your router) is to put mutual authentication on the TCP connection. Having it also at the BGP layer, and having ACLs to be sure you know what's going on, are good things, but TCP MD5, TCP-AO, or IPsec are an awful lot safer.
On Aug 14, 2018, at 4:28 PM, Grant Taylor via NANOG <nanog () nanog org> wrote: On 08/14/2018 03:38 PM, Randy Bush wrote:so we started to wonder if, since we started protecting our bgp sessions with md5 (in the 1990s), are there still folk trying to attack?n00b response here I thought using ACLs or otherwise protecting the BGP endpoint was best practice. Thus it's really hard to even try break an MD5 protected BGP session if you can't even establish the TCP connection. Everything that I've seen or set up had an ACL to only allow the peer(s) to be able to connect to (from memory) TCP port 179. Is there something that I've missed the boat on? #learningOpportunity -- Grant. . . . unix || die
-------------------------------------------------------------------------------- The fact that there is a highway to hell and a stairway to heaven is an interesting comment on projected traffic volume...
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- tcp md5 bgp attacks? Randy Bush (Aug 14)
- Re: tcp md5 bgp attacks? Grant Taylor via NANOG (Aug 14)
- Re: tcp md5 bgp attacks? Job Snijders (Aug 14)
- Re: tcp md5 bgp attacks? Roland Dobbins (Aug 14)
- Re: tcp md5 bgp attacks? Fred Baker (Aug 15)
- Re: tcp md5 bgp attacks? joel jaeggli (Aug 14)
- Re: tcp md5 bgp attacks? Randy Bush (Aug 14)
- Re: tcp md5 bgp attacks? Roland Dobbins (Aug 14)
- Re: tcp md5 bgp attacks? Randy Bush (Aug 15)
- Re: tcp md5 bgp attacks? joel jaeggli (Aug 14)
- Re: tcp md5 bgp attacks? Niels Bakker (Aug 19)
- Re: tcp md5 bgp attacks? Randy Bush (Aug 14)
- Re: tcp md5 bgp attacks? Grant Taylor via NANOG (Aug 14)
- RE: tcp md5 bgp attacks? Lotia, Pratik M (Aug 15)
- Re: tcp md5 bgp attacks? Garrett Skjelstad (Aug 20)
- Re: tcp md5 bgp attacks? lobna gouda (Aug 15)
- <Possible follow-ups>
- Re: tcp md5 bgp attacks? John Kristoff (Aug 14)