nanog mailing list archives
Re: MD5 in BGP4
From: Sean Donelan <sean () donelan com>
Date: 12 Jul 2000 10:33:06 -0700
On Wed, 12 July 2000, Danny McPherson wrote:
The primary goal of the BGP MD5 signature option is to protect the TCP substrate from introduction of spoofed TCP segments such a TCP RSTs. These segments could easily be injected from anywhere on the Internet.
BGP MD5 signatures do not protect the TCP/IP stream from spoofed TCP RSTs. The MD5 signature is checked at the BGP application layer after passing through and being acted on by the TCP stack. You can play all sorts of MAC, ARP, ICMP, IP and TCP games with the stream which MD5 won't prevent. Why we haven't seen more of these attacks I don't know for sure.
Current thread:
- Re: MD5 in BGP4, (continued)
- Re: MD5 in BGP4 Damon M. Conway (Jul 12)
- Re: MD5 in BGP4 Kevin Oberman (Jul 12)
- Re: MD5 in BGP4 Jared Mauch (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Alex Bligh (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Shane Wright (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Dan Debertin (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Steven M. Bellovin (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)