MD5 for TCP/BGP Sessions

vijay gill vgill at vijaygill.com
Wed Mar 30 23:52:26 UTC 2005


Stephen J. Wilcox wrote:
> without wishing to repeat what can be googled for.. putting acls on your edge to 
> protect your ebgp sessions wont work for obvious reasons -- to spoof data and 
> disrupt a session you have to spoof the srcip which of course the acl will allow 
> in
> 

This is why you either have a stateful firewall in your router that 
pushes a dynamic acl down to the linecard (or equivalent forwarding 
place where the for_us vs through_us decision is made), and filter it 
there. That makes guessing the correct 5 tuple a bit harder. Obviously 
GTSM is the closest we have yet to hardening (note I did not use 
securing) the session.

On average, the stateful filter will cause the attacker to to try 32000 
times to find correct 4-tuple. Conversely, attacker resources will need 
to be on average 32000 times greater to adversely affect a router. The 
cost of attacking infrastructure has risen, but the cost to defender is 
minor.

Each configured BGP session already has all the state needed above to 
populate the filter.


/vijay



More information about the NANOG mailing list