[79093] in North American Network Operators' Group
Re: MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (Pekka Savola)
Wed Mar 30 16:40:13 2005
Date: Thu, 31 Mar 2005 00:39:42 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: John Kristoff <jtk@northwestern.edu>
Cc: nanog@merit.edu
In-Reply-To: <20050330165505.C0360136C82@aharp.ittns.northwestern.edu>
Errors-To: owner-nanog@merit.edu
On Wed, 30 Mar 2005, John Kristoff wrote:
[on bgp/md5 and acl's]
> ACLs are often used, but vary widely depending on organization.
> It can be difficult to manage ACLs on a box with a large number
> of peers that uses many local BGP peering addresses. I'm sure
> some organizations reviewed and updated their ACLs as a result
> of the last scare, but that is a local, private decision and it
> would probably be hard to get good sample of who and what changed.
I would be double careful here, just to make sure everybody
understands what you're protecting.
iBGP sessions? ACLs are trivial if you have your borders secured.
eBGP sessions? GTSM is your friend (if supported). Practically, if
you know your peer and you also protect your borders, ACLs are rather
trivial as well.
What you seem to be saying is using ACLs to enumerate the valid
endpoints for eBGP sessions. That goes further than the above but
indeed is also a pain to set up and maintain.
There are other attacks you can make against TCP sessions (protected
by MD5 or not) using ICMP, though. (see
draft-gont-tcpm-icmp-attacks-03.txt).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
