[12419] in North American Network Operators' Group
Re: protecting operational networks
daemon@ATHENA.MIT.EDU (Vadim Antonov)
Mon Sep 15 18:57:20 1997
Date: Mon, 15 Sep 1997 15:44:41 -0700
From: Vadim Antonov <avg@pluris.com>
To: Ran Atkinson <rja@corp.home.net>
CC: nanog@merit.edu
Ran Atkinson wrote:
> IMHO, any serious network operator using OSPF or BGP should
> have already deployed the techniques below (as applicable):
> OSPF with Keyed MD5 Authentication
> BGP-4 with the Keyed MD5 Authentication extension
> as a TCP option.
Well, it does not protect against the threat #1 -- namely source
of perfectly good-looking but bogus routes.
In fact, cryptography is not the best (or most useful) solution
for protecting routing infrastructure from barge-in attacks.
The real solutuion is very simple -- the packets carrying routing
data should _not_ be routable. ARP is a good example.
Unfortunately the present braindeadedness of IGPs which makes
kludges like iBGP hack necessary makes multihop routing of
network control information inevitable. I would say we should
concentrate on fixing the original problem, not trying to patch
holes in the broken-as-designed architecture.
> WRT ISIS, lack of a CLNP infrastructure limits the ability of
> outsiders to attack a network. Nonetheless, ISIS should probably
> also get some kind of cryptographic authentication extension.
Heh. CLNP is quite widely routed. At some point it was very
useful as a way to defeat access-filter based protection in
ciscos (that was fixed, though).
--vadim
