[42506] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: What Worked - What Didn't

daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Sep 17 14:47:15 2001

Message-Id: <200109171846.f8HIkPr32088@foo-bar-baz.cc.vt.edu>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 17 Sep 2001 14:32:35 EDT."
             <5.1.0.14.2.20010917142747.02d1cca8@127.0.0.1> 
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1118697828P";
	 micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Mon, 17 Sep 2001 14:46:25 -0400
Errors-To: owner-nanog-outgoing@merit.edu


--==_Exmh_-1118697828P
Content-Type: text/plain; charset=us-ascii

On Mon, 17 Sep 2001 14:32:35 EDT, "Patrick W. Gilmore" <patrick@ianai.net>  said:
> If someone can splice into my point-to-point OC system, fake being the 
> router on the other end, and keep my peer from calling me and asking what 

You *do* do ingress and egress filtering of your own addresses, and have checked
that your router does in fact use cryptographically challenging seuquence
numbers, right?

And even if you don't, using MD5 is not *that* expensive (or shouldn't be),
and provides security in depth.

Unfortunately, I'll bet there's a LOT of routers that don't have filtering
in place, don't have good sequence numbers, and don't use MD5.  Enough said...
-- 
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech


--==_Exmh_-1118697828P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/09/2001

iQA/AwUBO6ZFAHAt5Vm009ewEQKH0ACeO4scOJSoO4YC39Bnx+qOBz2EMIUAoJr/
VZNnYyFzkpyqDi/esL/RhleV
=iSDb
-----END PGP SIGNATURE-----

--==_Exmh_-1118697828P--

home help back first fref pref prev next nref lref last post