[79082] in North American Network Operators' Group
MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (Doug Legge)
Wed Mar 30 10:52:03 2005
From: Doug Legge <Doug.Legge@BerkeleyGroup.co.uk>
To: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Wed, 30 Mar 2005 16:50:38 +0100
Errors-To: owner-nanog@merit.edu
NANOG,
I'm currently writing a paper for submission, as part of a MSc in Data
Communications, and would appreciate if anyone could update me as to the
implementation of MD5 for TCP authentication in BGP.
Following the alerts last year:
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00803be7
d9.shtml
http://www.foundrynet.com/solutions/security/TCP_Vulnerability_v1_3.pdf
http://www.kb.cert.org/vuls/id/415294
http://isc.sans.org/diary.php?date=2004-04-20
What has been the general effect in the ISP/Enterprise community following
the warnings?
- Have people applied MD5?
- If not what other technologies were implemented (IPSec AH transport mode
for BGP sessions/ACL/rate limiting etc)?
- Has there been any performance impacts seen since implementation?
- Has the support of the BGP environment been increased because of this
implementation (What policies regards changing the MD5 keys were
implemented)?
- Was this seen as a valid fix or a knee-jerk reaction (Having re-read the
exchanges on NANOG regards the actual mathematical probability of generating
this attack, what did the ISP community actually do (compared to what the
academic/vendor community were suggesting)?
Whilst I've had some response from bgp-info and bgp-security, it's not
really been sufficient to draw any real conclusions. From your knowledge and
experience are you aware, either internally or with customers the take up of
MD5 implementations and had anyone actually suffered an attack prior to
implementation
--------------------------------
Please do not supply confidential information or anything that would be
commercially sensitive, if you want to contact me off-line or from a private
account please do
Yours
Doug Legge
MDC Student
Kingston University
London /UK