[149052] in North American Network Operators' Group
MD5 considered harmful
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Fri Jan 27 15:53:36 2012
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <CAL9jLaah5USAPA50SgxLyTi2sdQdpCrP_mzf3sPGBw1jMLDksQ@mail.gmail.com>
Date: Fri, 27 Jan 2012 15:52:41 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
MD5 on BGP sessions is the canonical example of a cure worse than the =
disease. There has been /infinitely/ more downtime caused by MD5 than =
the mythical attack it protects again. (This is true because anything =
times zero is still zero.)
It is far easier to take a router out than try to calculate the number =
of RSTs per second you can get through to the RE without your guesses =
being dropped / throttled, then waiting hours or days to watch a BGP =
session flap. Amazingly awesome attack, because as everyone knows BGP =
sessions never flap on their own, so a random session flapping every day =
or six will totally freak out the provider in question. And all that =
ignores the fact every router vendor fixed the ephemeral port selection =
& window size issues half a decade ago, so those "days" it takes to =
reset a single BGP session are actually more like months or years.
Remember, miscreants are lazy, impatient, and frequently clueless. Who =
would want to reset a BGP that will come back up in 30-90 seconds when =
you can packet an entire router off the 'Net easier, more quickly, and =
for longer a period?
Unfortunately, Network Engineers are lazy, impatient, and frequently =
clueless as well. They read something from 1906 that says "$FOO IS =
GOOD!!1!1!" and force every peer to subscribe to their own ideal without =
understanding the underlying technology or rationale.
Your network, your decision. On my network, we do not do MD5. We do =
more traffic than anyone and have to be in the top 10 of total eBGP =
peering sessions on the planet. Guess how many times we've seen anyone =
even attempt this attack? If you guessed more than zero, guess again.
I am fully well aware saying this in a public place means someone, =
probably many someones, will try it now just to prove me wrong. I still =
don't care. What does that tell you?
STOP USING MD5 ON BGP.
--=20
TTFN,
patrick
