[29983] in North American Network Operators' Group
Re: MD5 in BGP4
daemon@ATHENA.MIT.EDU (Kevin Oberman)
Wed Jul 12 11:42:04 2000
Message-Id: <200007121539.e6CFdln00180@ptavv.es.net>
To: "HANSEN CHAN" <hansen.chan@alcatel.com>
Cc: nanog@merit.edu
In-reply-to: Your message of "Wed, 12 Jul 2000 08:26:56 EDT."
<396C640F.B02C5C3E@newbridge.com>
Date: Wed, 12 Jul 2000 08:39:47 -0700
From: "Kevin Oberman" <oberman@es.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Date: Wed, 12 Jul 2000 08:26:56 -0400
> From: "HANSEN CHAN" <hansen.chan@alcatel.com>
> Sender: owner-nanog@merit.edu
>
>
> Hi folks,
>
> I understand that MD5 is quite commonly used in IGP such as OSPF but not
> in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be
> more concerned the session being hijacked when talking to another
> network?
I'll take a crack at this, I guess.
OSPF and most (all?) other IP based routing protocols broadcast and
flood data. This make it pretty easy for someone to simply send out a
spoofed packet and have it believed by on or more routers.
BGP is a TCP based protocol and is normally run only to an adjacent
peer. This combination makes it very hard to break into. You have to
have another system on the shared media send a spoofed packet with
bogus information that fits the TCP stream and the BGP status for that
peering (and many BGP connections are point-to-point, making even
this impossible).
Multi-hop BGP is a different beast and much more likely to be subject
to attack, but it's also pretty rare and such an attack would still be
very difficult.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
