Re: tcp md5 bgp attacks?

[Randy Bush <randy () psg com>]

> > something such as, or close to, rfc 4808?
>
> It provides some capability, but for example if I have a large iBGP
> mesh and need to change methods of securing it and have automation
> involved, it can often be a one-shot change unless I can zone some
> routers to different versions of templating to have a smooth
> transition.  Basically the negative side of using peer-groups can be
> quite catastrophic with how you transition from the router software
> without good update packing/replication to one with a good system.  It
> doesn’t need the groups to optimize the leadership replication, but
> you still use them to minimize configuration duplication.
>
> I’m not sure if in 2018 which is the right path from an automation
> perspective, if you can have software specify and iterate everything,
> do you continue to use apply-groups, or just rely upon the automation
> to output the full configuration?
>
> Most systems (including the ones at present and past employers) tend
> to be a variation on template driven in some language(s) where the
> original problem/engineer creep doesn’t account for the proper
> abstract models to allow zoned changes/rollover of subsets of the
> network. Ie: rolling the key is an all-or-nothing operation.
>
> Similar to JTK most of the log messages we see are from people who
> forgot the MD5 key, or at an IX where we did poor relationship
> management so the IP is now reused by others and nobody cleaned up the
> older session(s).
>
> I have heard (but not personally seen) of well formed TCP session
> attacks where md5 may have helped, but since the punt path tends to be
> the weak link and most folks don’t do GTSH/GTSM (or worse, have
> hardware that can’t filter based on this) you still incur the
> expensive punt operation only to have the RP/RE kernel then drop the
> packet.
>
> IOS-XR also has very good/robust defaults with LPTS which helps
> significantly.  I’ve seen quite large attacks against a router be
> mitigated by LPTS and not require the mpp/control plane filters to be
> involved.
>
> Basically, once you roll md5 you may be at risk for having rolled it
> to need a way to undo and that pathway may not be easy, with or
> without automation.

one or both of us needs to reread 4808

randy