IGP protocol

• Previous message (by thread): IGP protocol
• Next message (by thread): IGP protocol
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 18 Nov 2018 at 12:15, Alfie Pates <alfie at fdx.services> wrote:

> There's a school of thought which suggests MD5 security on single-hop BGP is absolute theatre with no security benefit and that MACsec is the route you should be taking.

AFAIK there are no known attacks against HMAC-MD5. eBGP I don't care
about. But for iBGP I consider this a problem:

Someone goes to random forest where fibre is trenched, digs it up,
taps fibre until correct fibre+wave is found, then injects BGP UPDATE
to change L3 MPLS VPN labels, and diverts traffic through their device
while returning it safely. Seems quite cheap attack, maybe <5k, and
entirely compromises MPLS security model. iBGP MD5 should protect well
from this.

Not arguing that MacSec isn't superior feature, it's just cost of
MacSec is non-trivial compared to cost of HMAC-MD5, and it seems
HMAC-MD5 for certain attacks is strong guarantee. Ideally we'd
implement TCP-AO (RFC5925) to replace BGP HMAC-MD5, just to get
derived secret instead of static (how many change their MD5 secret
periodically?)  but it looks like ship may have sailed on that one.

-- 
  ++ytti

• Previous message (by thread): IGP protocol
• Next message (by thread): IGP protocol
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]