protecting operational networks

Vadim Antonov avg at
Mon Sep 15 22:44:41 UTC 1997

Ran Atkinson wrote:
> IMHO, any serious network operator using OSPF or BGP should
> have already deployed the techniques below (as applicable):
>         OSPF with Keyed MD5 Authentication
>         BGP-4 with the Keyed MD5 Authentication extension
>                 as a TCP option.

Well, it does not protect against the threat #1 -- namely source
of perfectly good-looking but bogus routes.

In fact, cryptography is not the best (or most useful) solution
for protecting routing infrastructure from barge-in attacks.
The real solutuion is very simple -- the packets carrying routing
data should _not_ be routable.  ARP is a good example.

Unfortunately the present braindeadedness of IGPs which makes
kludges like iBGP hack necessary makes multihop routing of
network control information inevitable.  I would say we should
concentrate on fixing the original problem, not trying to patch
holes in the broken-as-designed architecture.

> WRT ISIS, lack of a CLNP infrastructure limits the ability of
> outsiders to attack a network.  Nonetheless, ISIS should probably
> also get some kind of cryptographic authentication extension.

Heh.  CLNP is quite widely routed.  At some point it was very
useful as a way to defeat access-filter based protection in
ciscos (that was fixed, though).


More information about the NANOG mailing list