Alternatives to MD5 [Re: Winstar says there is no TCP/BGP vulnerability]

[Pekka Savola <pekkas () netcore fi>]

On Tue, 20 Apr 2004, Rodney Joffe wrote:
> However, perhaps someone from Winstar would care to help us all
> understand what the alternative solution is to securing the session via
> MD5? I would *love* an alternative to the 5 days of work we've just gone
> through.

1) Deploy correct ingress/egress filtering at all of your edges, and 

2) Make sure your upstreams/peers do that as well at least for the
p-t-p prefixes you use between you and them.

If you can't assume 2), you need something like GTSM or MD5 for
the BGP sessions between you and your peers/upstreams.

Note that I assume that if customers don't do ingress/egress filtering
for their p-t-p prefixes, they are shooting themselves in the foot,
and are the only people suffering from the resets.  Similar techniques 
as mentioned in the previous paragraph could be applied as well, of 
course.

That is, a thing most people seem to be forgetting that for these TCP 
packets to be processed, they must be spoofed to come from a certain 
source IP address.  If packets spoofed from that address are summarily 
discarded at appropriate places before reaching the infrastructure, 
you're pretty much safe.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings