[69900] in North American Network Operators' Group
RE: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Michel Py)
Wed Apr 21 10:36:06 2004
Date: Wed, 21 Apr 2004 07:35:27 -0700
From: "Michel Py" <michel@arneill-py.sacramento.ca.us>
To: "Adam Rothschild" <asr+nanog@latency.net>,
"Mikael Abrahamsson" <swmike@swm.pp.se>
Cc: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> Adam Rothschild wrote:
> Which begs the question, what is one to do, shy of
> moving (private) peering/transit/customer /31's and
> /30's into non-routable IP space, which opens up an
> entirely new can of worms?
Insist that the peer uses "ip verify unicast reverse-path" on all
interfaces, or similar command for other vendors.
> Fact of the matter is, MD5 computation/verification
> is not cheap, and many Cisco and Juniper platforms
> aren't designed to handle a barrage of MD5-hashed
> TCP packets. All things considered, I think MD5
> authentication will lower the bar for attackers, not
> raise it. I'm sure code optimizations could fix
> things to some degree, but that's just not the case
> today.
Certainly the best reason not to MD5 I have heard so far.
> Mikael Abrahamsson wrote:
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml
> This one seems much worse than the TCP RST problem.
Relatively easy to filter though.
Michel.
