nanog mailing list archives

Re: MD5 in BGP4

From: Danny McPherson <danny () tcb net>
Date: Wed, 12 Jul 2000 11:49:34 -0600



I suggest you go (re?)read RFC 2385.  Intuitively, 
it's called the TCP MD5 Signature Option, not the 
BGP MD5 Signature Option.

Again, it's not insurmountable, though it is far, 
far better than nothing.

-danny

BGP MD5 signatures do not protect the TCP/IP stream from
spoofed TCP RSTs.  The MD5 signature is checked at the
BGP application layer after passing through and being
acted on by the TCP stack.  You can play all sorts of
MAC, ARP, ICMP, IP and TCP games with the stream which
MD5 won't prevent.

Current thread:

Re: MD5 in BGP4, (continued)
- Re: MD5 in BGP4 Jared Mauch (Jul 12)
- Re: MD5 in BGP4 Randy Bush (Jul 12)
  - Re: MD5 in BGP4 Alex Bligh (Jul 12)
    - Re: MD5 in BGP4 Randy Bush (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Walter Prue (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
  - Re: MD5 in BGP4 Shane Wright (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
  - Re: MD5 in BGP4 Dan Debertin (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)
- Re: MD5 in BGP4 Steven M. Bellovin (Jul 12)
- Re: MD5 in BGP4 Sean Donelan (Jul 12)
- Re: MD5 in BGP4 Danny McPherson (Jul 12)