Security team successfully cracks SSL using 200 PS3's and MD5 flaw.

Nick Hilliard nick at
Sat Jan 3 18:41:04 UTC 2009

Hank Nussbacher wrote:
> You mean like for BGP neighbors?  Wanna suggest an alternative? :-)

tcp/md5 + gtsm (assuming directly connected peers) makes messing around
with bgp sessions rather difficult.  Filtering BGP packets at the edge and
borders slightly more so.  If you have CPU and sufficient quantities of
administrivium to spare, you can use ipsec on your routers for these sessions.

The real issue is how to make compromising bgp sessions sufficiently
difficult to make it an unattractive target.  Given that the cost of
getting write access to the DFZ is not really very high either technically
or financially, I'd propose that while gtsm / md5 / filtering aren't
perfect, they raise the bar high enough to make it not really worth
someone's while trying to break them; and IPsec more so.


More information about the NANOG mailing list