md5 for bgp tcp sessions
Jared Mauch
jared at puck.nether.net
Thu Jun 23 15:27:38 UTC 2005
On Thu, Jun 23, 2005 at 05:57:05AM -0400, Todd Underwood wrote:
>
> ras, all,
>
> On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote:
> > On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote:
>
> > > a) many (all?) implementations of md5 protection of tcp expose
> > > new, easy-to-exploit vulnerabilities in host OSes. md5 verification
> > > is slow and done on a main processor of most routers. md5
> > > verification typically takes places *before* the sequence number,
> > > ports, and ip are checked to see whether they apply to a valid
> > > session. as a result, you've exposed a trivial processor DOS to your
> > > box.
> >
> > Well, I think they've finally fixed this one by now, at least everyone
> > that I'm aware of has done so. Immediately following the whining to start
> > deploying MD5 is was certainly the case that many implementations did
> > stupid stuff like process MD5 before running other validity checks like
> > sequence numbers which are far less computationally intensive, and there
> > were a few MSS bugs that popped up, but they should have all been worked
> > out by now. I don't think that anyone running modern code is suffering any
> > more attack potential because of this.
>
> my understanding is that md5 is still checked before the ttl-hack
> check takes place on cisco (and perhaps most router platforms). new
> attack vector for less security than you had before. oh well. ras:
> can you confirm that it is possible to implement ttl-hack and have it
> check *before* md5 signature checks?
Last I knew there was still a bug open on this that has gotten
little/no action for at least half a year on this issue, I would
think that in 6mos someone at Cisco could take the time to research
the bug and fix it. (I'll leave out the part about releasing TAC supported
code with a fix).
I believe the bugid is CSCee73956
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list