[69928] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Paul Jakma)
Wed Apr 21 18:45:51 2004
Date: Wed, 21 Apr 2004 21:00:55 +0100 (IST)
From: Paul Jakma <paul@clubi.ie>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: nanog@merit.edu
In-Reply-To: <B4F5E969-93CC-11D8-A335-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 21 Apr 2004, Iljitsch van Beijnum wrote:
> On 21-apr-04, at 21:17, Paul Jakma wrote:
>
> > > I'm not recommending this for "small" peers as the crypto DoS risk
> > > is worse than what happens when the attack is executed
> > > successfully.
>
> > Why would MD5 be more of a crypto DoS risk with IPSec AH headers than
> > with bgp tcp-md5?
>
> Beats me. But why do you bring up IPsec?
The paragraph is quoted is your advice against using IPSec, I dont
see why an MD5 auth header IPSec protected sessions would have more
risk of crypto DoS than compared to the simple BGP TCP MD5 hack. The
risk is due to MD5, not IPSec :).
> Anyway, what needs to happen is a form of crypto where the
> expensive algorithms are only executed for good packets and not for
> all packets.
So configure ipsec to authenticate packets between the peers allowing
only md5 or somesuch. I dont know about other IOS, but other
implementations do allow one to specify security associations on a
per port basis.
regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
It's interesting to think that many quite distinguished people have
bodies similar to yours.
