protecting operational networks
Vadim Antonov
avg at pluris.com
Mon Sep 15 22:44:41 UTC 1997
Ran Atkinson wrote:
> IMHO, any serious network operator using OSPF or BGP should
> have already deployed the techniques below (as applicable):
> OSPF with Keyed MD5 Authentication
> BGP-4 with the Keyed MD5 Authentication extension
> as a TCP option.
Well, it does not protect against the threat #1 -- namely source
of perfectly good-looking but bogus routes.
In fact, cryptography is not the best (or most useful) solution
for protecting routing infrastructure from barge-in attacks.
The real solutuion is very simple -- the packets carrying routing
data should _not_ be routable. ARP is a good example.
Unfortunately the present braindeadedness of IGPs which makes
kludges like iBGP hack necessary makes multihop routing of
network control information inevitable. I would say we should
concentrate on fixing the original problem, not trying to patch
holes in the broken-as-designed architecture.
> WRT ISIS, lack of a CLNP infrastructure limits the ability of
> outsiders to attack a network. Nonetheless, ISIS should probably
> also get some kind of cryptographic authentication extension.
Heh. CLNP is quite widely routed. At some point it was very
useful as a way to defeat access-filter based protection in
ciscos (that was fixed, though).
--vadim
More information about the NANOG
mailing list