nanog mailing list archives

Re: tcp md5 bgp attacks?

From: lobna gouda <lobna_gouda () hotmail com>
Date: Wed, 15 Aug 2018 23:06:11 +0000

Out of curiosity, are you asking for a specific  research/project that you need some data for?


GTSM is not a replacement for the ACL filtering the bgp speakers or the MD5 ( that is widely supported).

 If GTSM is not supported you can always predefine the TTL  it in the session and manipulate the defaults ( 1 for EBGP 
64 IBGP) yet this is works on small scale networks.

Another practice is to define who starts the session ( as port 179 is not hard to figure). Yet in all case the ACL is 
your first defense who is allowed for TCP and when the session is established what they can advertise and what you are 
willing to accept across the session ( NXT hop, n0. of routers, as-path, communities....etc).





https://www.noction.com/blog/bgp_security_md5_password_and_gtsm

[https://www.noction.com/wp-content/uploads/2015/04/MD5-password.png]<https://www.noction.com/blog/bgp_security_md5_password_and_gtsm>

BGP Security – the MD5 password and GTSM | Noction<https://www.noction.com/blog/bgp_security_md5_password_and_gtsm>
www.noction.com
There are three security mechanisms that can protect against potential security issues with BGP: the BGP TCP MD5 
password, IPsec and GTSM...


Brgds,


LG





________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of Randy Bush <randy () psg com>
Sent: Tuesday, August 14, 2018 5:38 PM
To: North American Network Operators' Group
Subject: tcp md5 bgp attacks?

so we started to wonder if, since we started protecting our bgp
sessions with md5 (in the 1990s), are there still folk trying to
attack?

we were unable to find bgp mib counters.  there are igp interface
counters, but that was not our immediate interest.  we did find
that md5 failures are logged.

looking at my logs for a few years, i find essentially nothing;
two 'attackers,' one my own ibgp peer, and one that noted evildoer
rob thomas, bgprs01.ord08.cymru.com.

we would be interested in data from others.

note that we are neither contemplating nor suggesting removing md5
from [y]our bgp sessions.

randy

[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=icon>
    Virus-free. 
www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail&utm_term=link>

Current thread:

Re: tcp md5 bgp attacks?, (continued)
- - Re: tcp md5 bgp attacks? Roland Dobbins (Aug 14)
  - Re: tcp md5 bgp attacks? Fred Baker (Aug 15)
- Re: tcp md5 bgp attacks? joel jaeggli (Aug 14)
  - Re: tcp md5 bgp attacks? Randy Bush (Aug 14)
    - Re: tcp md5 bgp attacks? Roland Dobbins (Aug 14)
    - Re: tcp md5 bgp attacks? Randy Bush (Aug 15)
    - Re: tcp md5 bgp attacks? joel jaeggli (Aug 14)
    - Re: tcp md5 bgp attacks? Niels Bakker (Aug 19)
- RE: tcp md5 bgp attacks? Lotia, Pratik M (Aug 15)
  - Re: tcp md5 bgp attacks? Garrett Skjelstad (Aug 20)
- Re: tcp md5 bgp attacks? lobna gouda (Aug 15)
- Re: tcp md5 bgp attacks? John Kristoff (Aug 14)
  - Re: tcp md5 bgp attacks? Randy Bush (Aug 14)
    - Re: tcp md5 bgp attacks? Jared Mauch (Aug 14)
    - Re: tcp md5 bgp attacks? Randy Bush (Aug 14)
    - Re: tcp md5 bgp attacks? Jared Mauch (Aug 14)
    - Re: tcp md5 bgp attacks? Randy Bush (Aug 14)