[110353] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Sat Jan 3 13:44:01 2009
X-Envelope-To: nanog@nanog.org
Date: Sat, 03 Jan 2009 18:41:04 +0000
From: Nick Hilliard <nick@foobar.org>
To: Hank Nussbacher <hank@efes.iucc.ac.il>
In-Reply-To: <Pine.LNX.4.64.0901031851230.17922@efes.iucc.ac.il>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hank Nussbacher wrote:
> You mean like for BGP neighbors? Wanna suggest an alternative? :-)
tcp/md5 + gtsm (assuming directly connected peers) makes messing around
with bgp sessions rather difficult. Filtering BGP packets at the edge and
borders slightly more so. If you have CPU and sufficient quantities of
administrivium to spare, you can use ipsec on your routers for these sessions.
The real issue is how to make compromising bgp sessions sufficiently
difficult to make it an unattractive target. Given that the cost of
getting write access to the DFZ is not really very high either technically
or financially, I'd propose that while gtsm / md5 / filtering aren't
perfect, they raise the bar high enough to make it not really worth
someone's while trying to break them; and IPsec more so.
Nick
