Re: MD5 in BGP4

[Walter Prue <prue () ISI EDU>]

> "HANSEN CHAN" wrote:
> > I understand that MD5 is quite commonly used in IGP such as OSPF but not
> > in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be
> > more concerned the session being hijacked when talking to another
> > network?


> i believe this is because bgp will not establish a session unless the other
> end is directly connected.  hence the reason for ebgp-multihop.  so unless
> somebody drops a physical line into your router and configures it, you
> shouldn't have a problem.

The norm for E-BGP is that the packets to the neighbor are created with
a TTL of 1 making the packets die if they are not addressed to a
neighbor one hop away.  However some folks run multihop BGP for
various reasons.  When they do they may not be so careful setting the
hop count.

However, regardless of how a well behaved router acts, a misbehaving
node can violate these rules and set the hop count to anything that
suites their twisted purposes.  Most routers won't check to see that a
packet, it is forrwarding, is sourced from its own IP address and thus
not detect that a misbehaving node multiple hops away is trying to
attack its BGP neighbors BGP TCP session.  A full hijack of the session
however would be less likely because the return packets are unlikely to
reach the misbehaving node.  So a misbehaving host could potentially
cause a session reset and a route flap but not persist in a hijacked BGP
session, feeding and consuming routing updates.

When a general purpose node (ie. Unix node) is between two EBGP speakers
running multihop BGP such an attack is possible.  It is also quite possible
in a situation where BGP speakers are on a shared media.

Walt Prue