md5 for bgp tcp sessions
Todd Underwood
todd at renesys.com
Thu Jun 23 02:04:09 UTC 2005
eric, all,
not to pick on eric at all, but since he raised the issue...
On Wed, Jun 22, 2005 at 11:42:46AM -0400, Eric Gauthier wrote:
> likely need to make modifications to our IGP/EGP setup. Though we filter
> OSPF multicast traffic, we wanted to add in MD5 passwords to our
> neighbors.
just a quick comment here. i would encourage you not to do that.
the md5 password hack to protect tcp sessions is rapidly falling out
of favor for a number of reasons. among them:
1) it protects against a very limited "vulnerability". for operating
systems that stay up for reasonable periods of time, that generate
sufficiently random ISNs and that check for in-windowness of syns and
rsts, there is a very limited exposure.
2) the cure is worse than the disease:
a) many (all?) implementations of md5 protection of tcp expose
new, easy-to-exploit vulnerabilities in host OSes. md5 verification
is slow and done on a main processor of most routers. md5
verification typically takes places *before* the sequence number,
ports, and ip are checked to see whether they apply to a valid
session. as a result, you've exposed a trivial processor DOS to your
box.
b) coordination problems cause downtime. password
coordination problems are reported to be a major cause of downtime
among peers that i interact with. this downtime is costly and is much
greater than the downtime caused by the (theoretical and not actively
exploited) tcp "vulnerability"
i would encourage everyone to seriously rethink the routine use of MD5
passwords to protect BGP tcp sessions.
t.
--
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd at renesys.com www.renesys.com
More information about the NANOG
mailing list