Winstar says there is no TCP/BGP vulnerability

Patrick W.Gilmore patrick at ianai.net
Wed Apr 21 03:49:21 UTC 2004


On Apr 20, 2004, at 11:29 PM, Michel Py wrote:

> Please forgive me if I'm naive and/or ask a stupid question, but is
> there any reason (besides your platform not supporting it) _not_ to MD5
> your BGP sessions? Geez, on my _home_ router all my v4 BGP sessions are
> MD5ed (v6 not there yet).

There is serious operational overhead in maintaining sync'ed passwords 
between separate organizations.  IOW: Eventually someone will screw up 
and lose the password.  When they do, the session goes down, and 
probably for far longer than if some miscreant tries to RST it via the 
"vulnerability".

Actual data: Over the past three plus years an organization with on the 
order of a dozen MD5-ized BGP sessions has has multiple down sessions 
due to, for instance, a peer doing standard (for them) password 
rotation and forgetting to inform the organization.  Each time incurred 
a minimum of several hours downtime, once stretching into several days 
as the peer could not figure out what was wrong and get the right 
person with the password to give it to the organization.

Over the past three plus years with over 1000 non-MD5-ized BGP 
sessions, the same organization experienced exactly *ZERO* seconds of 
downtime identified as due to RST-style attacks.  And certainly no 
prolonged outages due to it.


Add to that the additional CPU overhead some people have reported, 
making it easier to packet the router to its knees, and MD5 looks like 
a cure worse than the disease.


All that said, it is your router, your peers, your decision.  I would 
never dream of telling anyone who wanted MD5 to not do it.  I just 
don't understand people who want to do it.  Especially when they could 
be doing things like filtering at the leaf nodes and forcing their 
vendors to support the TTL hack.

But that's me.

-- 
TTFN,
patrick




More information about the NANOG mailing list