nanog mailing list archives
RE: Winstar says there is no TCP/BGP vulnerability
From: "Michel Py" <michel () arneill-py sacramento ca us>
Date: Tue, 20 Apr 2004 21:51:06 -0700
Patrick / Christopher,
Michel Py wrote: Please forgive me if I'm naive and/or ask a stupid question, but is there any reason (besides your platform not supporting it) _not_ to MD5 your BGP sessions? Geez, on my _home_ router all my v4 BGP sessions are MD5ed (v6 not there yet).
Patrick W.Gilmore wrote: There is serious operational overhead in maintaining sync'ed passwords between separate organizations. IOW: Eventually someone will screw up and lose the password. [large snip]
Thanks for the insight. I have an even dumber question: Context: set aside the MD5, the way I configure BGP sessions/traffic from/to peers is as follows: a) A generic (configured in the peer-group) route-map to filter the routes I announce to the peer to be only my blocks. b) A specific-to-the-peer route-map to filter the routes I receive from the peer to the peer's blocks, as agreed in the beer drinking meeting ^H^H^H^H BLPA. This route map is not entirely specific, as I also put in stuff such as deny RFC1918 routes ;-) c) A generic access-list filtering ingress traffic from the peer to me to allow only traffic which DA is mine. (cracks me up if the peer sets a default to me :-) d) A generic access-list filtering egress traffic from me to the peer to allow only traffic which SA is mine. Now, the dumb question: Given: 1) The context above especially item b 2) Christopher Morrow's comments below Explain me what having or not having the MD5 password changes. Either you're small and/or stupid and do it manually, or you have an automated system that does it for you.
Christopher L. Morrow wrote: there is the issue of changing the keys during operations without impacting the network, eh? Having to bounce every bgp session in your network can be pretty darned painful... if you change the key(s) of course.
See above: Changing the route-map is equally painful.
If you don't you might as well not have keys, since adding the 3 lines of C code required to Paul Watsons' program making it do the hashing certainly won't be a big deal, eh?
I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below
"enable-password 7 " for each peer (which requires recompiling, how
annoying) would you care sharing the 3 said lines for the code below :-)
Michel.
#include <stdio.h>
#include <ctype.h>
char xlat[] = {
0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f,
0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72,
0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44
};
char pw_str1[] = "password 7 ";
char pw_str2[] = "enable-password 7 ";
char *pname;
cdecrypt(enc_pw, dec_pw)
char *enc_pw;
char *dec_pw;
{
unsigned int seed, i, val = 0;
if(strlen(enc_pw) & 1)
return(-1);
seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0';
if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1]))
return(-1);
for (i = 2 ; i <= strlen(enc_pw); i++) {
if(i !=2 && !(i & 1)) {
dec_pw[i / 2 - 2] = val ^ xlat[seed++];
val = 0;
}
val *= 16;
if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) {
val += enc_pw[i] - '0';
continue;
}
if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') {
val += enc_pw[i] - 'A' + 10;
continue;
}
if(strlen(enc_pw) != i)
return(-1);
}
dec_pw[++i / 2] = 0;
return(0);
}
usage()
{
fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname);
fprintf(stdout, " %s <router config file> <output
file>\n", pname);
return(0);
}
main(argc,argv)
int argc;
char **argv;
{
FILE *in = stdin, *out = stdout;
char line[257];
char passwd[65];
unsigned int i, pw_pos;
pname = argv[0];
if(argc > 1)
{
if(argc > 3) {
usage();
exit(1);
}
if(argv[1][0] == '-')
{
switch(argv[1][1]) {
case 'h':
usage();
break;
case 'p':
if(cdecrypt(argv[2], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
fprintf(stdout, "password: %s\n",
passwd);
break;
default:
fprintf(stderr, "%s: unknow option.",
pname);
}
return(0);
}
if((in = fopen(argv[1], "rt")) == NULL)
exit(1);
if(argc > 2)
if((out = fopen(argv[2], "wt")) == NULL)
exit(1);
}
while(1) {
for(i = 0; i < 256; i++) {
if((line[i] = fgetc(in)) == EOF) {
if(i)
break;
fclose(in);
fclose(out);
return(0);
}
if(line[i] == '\r')
i--;
if(line[i] == '\n')
break;
}
pw_pos = 0;
line[i] = 0;
if(!strncmp(line, pw_str1, strlen(pw_str1)))
pw_pos = strlen(pw_str1);
if(!strncmp(line, pw_str2, strlen(pw_str2)))
pw_pos = strlen(pw_str2);
if(!pw_pos) {
fprintf(stdout, "%s\n", line);
continue;
}
if(cdecrypt(&line[pw_pos], passwd)) {
fprintf(stderr, "Error.\n");
exit(1);
}
else {
if(pw_pos == strlen(pw_str1))
fprintf(out, "%s", pw_str1);
else
fprintf(out, "%s", pw_str2);
fprintf(out, "%s\n", passwd);
}
}
}
Current thread:
- Re: Winstar says there is no TCP/BGP vulnerability, (continued)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Rob Thomas (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability E.B. Dreger (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Alexei Roudnev (Apr 22)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 20)
- RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Robert E. Seastrom (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Joe Rhett (Apr 20)
- RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 20)
- RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
- RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Iljitsch van Beijnum (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 21)
- Re: Winstar says there is no TCP/BGP vulnerability Jared Mauch (Apr 21)