Winstar says there is no TCP/BGP vulnerability
Patrick W.Gilmore
patrick at ianai.net
Wed Apr 21 03:49:21 UTC 2004
On Apr 20, 2004, at 11:29 PM, Michel Py wrote:
> Please forgive me if I'm naive and/or ask a stupid question, but is
> there any reason (besides your platform not supporting it) _not_ to MD5
> your BGP sessions? Geez, on my _home_ router all my v4 BGP sessions are
> MD5ed (v6 not there yet).
There is serious operational overhead in maintaining sync'ed passwords
between separate organizations. IOW: Eventually someone will screw up
and lose the password. When they do, the session goes down, and
probably for far longer than if some miscreant tries to RST it via the
"vulnerability".
Actual data: Over the past three plus years an organization with on the
order of a dozen MD5-ized BGP sessions has has multiple down sessions
due to, for instance, a peer doing standard (for them) password
rotation and forgetting to inform the organization. Each time incurred
a minimum of several hours downtime, once stretching into several days
as the peer could not figure out what was wrong and get the right
person with the password to give it to the organization.
Over the past three plus years with over 1000 non-MD5-ized BGP
sessions, the same organization experienced exactly *ZERO* seconds of
downtime identified as due to RST-style attacks. And certainly no
prolonged outages due to it.
Add to that the additional CPU overhead some people have reported,
making it easier to packet the router to its knees, and MD5 looks like
a cure worse than the disease.
All that said, it is your router, your peers, your decision. I would
never dream of telling anyone who wanted MD5 to not do it. I just
don't understand people who want to do it. Especially when they could
be doing things like filtering at the leaf nodes and forcing their
vendors to support the TTL hack.
But that's me.
--
TTFN,
patrick
More information about the NANOG
mailing list