[74900] in North American Network Operators' Group
Re: BCP38 making it work, solving problems
daemon@ATHENA.MIT.EDU (Patrick W Gilmore)
Wed Oct 20 02:37:51 2004
In-Reply-To: <Pine.LNX.4.58.0410191910200.12384@jp-gp.vsi.nl>
Cc: Patrick W Gilmore <patrick@ianai.net>
From: Patrick W Gilmore <patrick@ianai.net>
Date: Wed, 20 Oct 2004 02:37:13 -0400
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Oct 19, 2004, at 1:14 PM, JP Velders wrote:
> jacking the connection is in a completely different class as someone
> bombarding you with a bunch of forged BGP packets to close down a
> session. Without that MD5 checksum you are quite vulnerable to that. I
> haven't seen a vendor come up with a solution to that, because the
> problem is on a much more vendor-neutral level...
We haven't talked about this in a few months, so what the hell....
Have you actually done the work to see how many packets it takes to
shut down a session with and without MD5 enabled? (The question is
rhetorical, since your post shows that you have not.)
Back on topic, the MD5 debate is not an exact apples-to-apples
comparison of BCP38. Stopping people from shutting down your BGP
sessions is not the same as letting your customer hurt me while
claiming to be a third party.
Put another way, MD5 on BGP sessions is a personal choice per network.
I made my decision. You are welcome and encouraged to make your own.
Neither will effect the other, except where our two networks meet.
(And then I am positive we can come to some mutual understanding.)
BCP38 is not a personal decision. Not implementing it hurts the whole
Internet, not just your little corner.
--
TTFN,
patrick
