BCP38 making it work, solving problems
jpv at veldersjes.net
Tue Oct 19 17:14:32 UTC 2004
> Date: Tue, 19 Oct 2004 09:21:46 -0700
> From: Randy Bush <randy at psg.com>
> Subject: Re: BCP38 making it work, solving problems
> > For example, how many ISPs use TCP MD5 to limit the possibility of a
> > BGP/TCP connection getting hijacked or disrupted by a ddos attack?
> i hope none use it for the latter, as it will not help. more and
> more use it for the former. why? becuase they perceived the need
> to solve an immediate problem, a weakness in a vendor's code.
Uhm, you might need to run that by me again...
Hijacking the connection is in a completely different class as someone
bombarding you with a bunch of forged BGP packets to close down a
session. Without that MD5 checksum you are quite vulnerable to that. I
haven't seen a vendor come up with a solution to that, because the
problem is on a much more vendor-neutral level...
PS: ofcourse that MD5 option also causes problems for peerings to come
back "up" again if you have to reboot/reload *without* properly
closing them... :( Hey, pro's and con's are part of the job ;)
More information about the NANOG