[29993] in North American Network Operators' Group
Re: MD5 in BGP4
daemon@ATHENA.MIT.EDU (Danny McPherson)
Wed Jul 12 13:51:04 2000
Message-Id: <200007121749.LAA11751@tcb.net>
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Date: Wed, 12 Jul 2000 11:49:34 -0600
Errors-To: owner-nanog-outgoing@merit.edu
I suggest you go (re?)read RFC 2385. Intuitively,
it's called the TCP MD5 Signature Option, not the
BGP MD5 Signature Option.
Again, it's not insurmountable, though it is far,
far better than nothing.
-danny
> BGP MD5 signatures do not protect the TCP/IP stream from
> spoofed TCP RSTs. The MD5 signature is checked at the
> BGP application layer after passing through and being
> acted on by the TCP stack. You can play all sorts of
> MAC, ARP, ICMP, IP and TCP games with the stream which
> MD5 won't prevent.
