MD5 for TCP/BGP Sessions
vijay gill
vgill at vijaygill.com
Wed Mar 30 23:52:26 UTC 2005
Stephen J. Wilcox wrote:
> without wishing to repeat what can be googled for.. putting acls on your edge to
> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
> disrupt a session you have to spoof the srcip which of course the acl will allow
> in
>
This is why you either have a stateful firewall in your router that
pushes a dynamic acl down to the linecard (or equivalent forwarding
place where the for_us vs through_us decision is made), and filter it
there. That makes guessing the correct 5 tuple a bit harder. Obviously
GTSM is the closest we have yet to hardening (note I did not use
securing) the session.
On average, the stateful filter will cause the attacker to to try 32000
times to find correct 4-tuple. Conversely, attacker resources will need
to be on average 32000 times greater to adversely affect a router. The
cost of attacking infrastructure has risen, but the cost to defender is
minor.
Each configured BGP session already has all the state needed above to
populate the filter.
/vijay
More information about the NANOG
mailing list