What Worked - What Didn't

• Previous message (by thread): What Worked - What Didn't
• Next message (by thread): What Worked - What Didn't
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:46 PM 9/17/2001 -0400, Valdis.Kletnieks at vt.edu wrote:
 >On Mon, 17 Sep 2001 14:32:35 EDT, "Patrick W. Gilmore" <patrick at ianai.net>
 >said:
 >> If someone can splice into my point-to-point OC system, fake being the
 >> router on the other end, and keep my peer from calling me and asking what
 >
 >You *do* do ingress and egress filtering of your own addresses, and have
 >checked
 >that your router does in fact use cryptographically challenging seuquence
 >numbers, right?

I do not do anything.  I Am Not An Isp. :)

But when I did run a network, I did *NOT* ingress filter on my own address 
space.  I ran networks with multi-homed clients.  If I did not allow my own 
address space to be announced to me, I would not have been able to talk to 
my multi-homed downstreams if their link to me was down.  When a link to 
your upstream is down and you cannot send mail to noc@ through your second 
upstream, you tend to get a new upstream pretty quick.

I *ABSOLUTELY* believe in filtering customer announcements into my 
backbone.  Been a big proponent of it for many years.  Search the archives.


As for "cryptographically challenging sequence numbers", well, no, I have 
not inspected the code on any cisco or Juniper routers lately.  Whatever 
sequence numbers they use are the sequence numbers they use, and I ain't 
gonna hack the code to change it.


 >And even if you don't, using MD5 is not *that* expensive (or shouldn't be),
 >and provides security in depth.

I do not *think* it would tax the CPU too much, but it has been at least 3 
years since I have done it.  IIRC, the CPU overhead was near nil.

And it only provides security for the BGP session, not "in depth".  I am 
not saying that is a bad thing, just mentioning the limitation.


 >Unfortunately, I'll bet there's a LOT of routers that don't have filtering
 >in place, don't have good sequence numbers, and don't use MD5.  Enough 
said...

Actually, I am still not certain why it was said at all.  There are far, 
far more difficult hurdles to over come when spoofing a BGP session between 
major carriers than the sequence numbers.  And most people notice when a 
major peer goes down, very, very quickly.  MD5 or not.


In fact, I would wager that the misdirected traffic due to the added 
configuration complexity (yes, one line, but trust me, it can be a bitch if 
you forget the line, or forget the password) would far outweigh any savings 
you got from stopping attacks.

But not way to tell for certain since this type of attack is practically 
unheard of.  (Or perhaps that is a way to tell? :)


 >				Valdis Kletnieks

--
TTFN,
patrick

• Previous message (by thread): What Worked - What Didn't
• Next message (by thread): What Worked - What Didn't
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]