[79098] in North American Network Operators' Group
Re: MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (vijay gill)
Wed Mar 30 18:53:01 2005
Date: Wed, 30 Mar 2005 18:52:26 -0500
From: vijay gill <vgill@vijaygill.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: Pekka Savola <pekkas@netcore.fi>,
John Kristoff <jtk@northwestern.edu>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0503310016240.17446-100000@server2.tcw.telecomplete.net>
Errors-To: owner-nanog@merit.edu
Stephen J. Wilcox wrote:
> without wishing to repeat what can be googled for.. putting acls on your edge to
> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
> disrupt a session you have to spoof the srcip which of course the acl will allow
> in
>
This is why you either have a stateful firewall in your router that
pushes a dynamic acl down to the linecard (or equivalent forwarding
place where the for_us vs through_us decision is made), and filter it
there. That makes guessing the correct 5 tuple a bit harder. Obviously
GTSM is the closest we have yet to hardening (note I did not use
securing) the session.
On average, the stateful filter will cause the attacker to to try 32000
times to find correct 4-tuple. Conversely, attacker resources will need
to be on average 32000 times greater to adversely affect a router. The
cost of attacking infrastructure has risen, but the cost to defender is
minor.
Each configured BGP session already has all the state needed above to
populate the filter.
/vijay
