[30007] in North American Network Operators' Group
Re: MD5 in BGP4
daemon@ATHENA.MIT.EDU (Danny McPherson)
Wed Jul 12 23:38:09 2000
Message-Id: <200007130337.VAA16408@tcb.net>
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 12 Jul 2000 21:37:10 -0600
Errors-To: owner-nanog-outgoing@merit.edu
> It's is a kind of useless things. If you allow spoofing.,
> you are voluranable to the DoS attacks against BGP; if you
> are not, no need to use MD5 for BGP.
Actually, I can think of more than a few configurations
where this isn't true. For example, shared-media exchange
points where multiple networks reside on a single segment
and eBGP peer using the address of the segment. The IP
network number is associated only with the interface,
there's no individual hardware/IP address relationship
relative to anti-spoofing here.
> And DoS attack is the reality, not BGP spoofings (may be
> you know any such case? I do not know any).
Agreed, it's purpose is more so to protect against DoS
type stuff at the TCP layer.
> For IS-IS and OSPF, just other matter. They are working
> over the LAN, and customers and internal users are often
> plugged into this network. So, authentication is necessary
> to prevent both errors and intrusions (and the anty-error
> measures are much more inmportant in such networks).
However, I think we'd both agree that a configuration such
as this (IGP being enabled on customer facing interfaces)
is ill-advised.
> Just again, I know a lot of cases when IGP was broken
> by error (someone installed new server and turned OSPF
> on), but I does not know any attacks of this kind (but
> I believe there are such cases for IGP protocols). Throgh,
> to defent against such attacks originated from IGP, you
> need a lot of things be used (non Redirect, static ARYP,
> etc etc).
Agreed.
-danny
