tcp md5 bgp attacks?

Job Snijders job at ntt.net
Tue Aug 14 23:36:02 UTC 2018


On Tue, Aug 14, 2018 at 05:28:13PM -0600, Grant Taylor via NANOG wrote:
> On 08/14/2018 03:38 PM, Randy Bush wrote:
> > so we started to wonder if, since we started protecting our bgp
> > sessions with md5 (in the 1990s), are there still folk trying to
> > attack?
> 
> n00b response here
> 
> I thought using ACLs or otherwise protecting the BGP endpoint was best
> practice.  Thus it's really hard to even try break an MD5 protected
> BGP session if you can't even establish the TCP connection.
> 
> Everything that I've seen or set up had an ACL to only allow the
> peer(s) to be able to connect to (from memory) TCP port 179.
> 
> Is there something that I've missed the boat on?
> 
> #learningOpportunity

To further harden your setup, consider using GTSM

    https://tools.ietf.org/html/rfc5082

Kind regards,

Job



More information about the NANOG mailing list