BCP38 making it work, solving problems
David G. Andersen
dga at lcs.mit.edu
Tue Oct 19 17:20:08 UTC 2004
On Tue, Oct 19, 2004 at 07:14:32PM +0200, JP Velders scribed:
>
> > Date: Tue, 19 Oct 2004 09:21:46 -0700
> > From: Randy Bush <randy at psg.com>
> > Subject: Re: BCP38 making it work, solving problems
>
> > > For example, how many ISPs use TCP MD5 to limit the possibility of a
> > > BGP/TCP connection getting hijacked or disrupted by a ddos attack?
>
> > i hope none use it for the latter, as it will not help. more and
> > more use it for the former. why? becuase they perceived the need
> > to solve an immediate problem, a weakness in a vendor's code.
>
> Uhm, you might need to run that by me again...
>
> Hijacking the connection is in a completely different class as someone
> bombarding you with a bunch of forged BGP packets to close down a
> session. Without that MD5 checksum you are quite vulnerable to that. I
> haven't seen a vendor come up with a solution to that, because the
> problem is on a much more vendor-neutral level...
Unless you're worried about an adversary who taps into your
fiber, how is MD5 checksums any better than anti spoofing filters
that protect your BGP peering sessions? The only benefit I see is
that you can actually verify that your peer is using md5 checksums,
instead of having to take them on faith that they won't permit
someone to spoof their router's address.
-Dave
--
work: dga at lcs.mit.edu me: dga at pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
More information about the NANOG
mailing list