[81657] in North American Network Operators' Group
md5 for bgp tcp sessions
daemon@ATHENA.MIT.EDU (Todd Underwood)
Wed Jun 22 22:04:44 2005
Date: Wed, 22 Jun 2005 22:04:09 -0400
From: Todd Underwood <todd@renesys.com>
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
eric, all,
not to pick on eric at all, but since he raised the issue...
On Wed, Jun 22, 2005 at 11:42:46AM -0400, Eric Gauthier wrote:
> likely need to make modifications to our IGP/EGP setup. Though we filter
> OSPF multicast traffic, we wanted to add in MD5 passwords to our
> neighbors.
just a quick comment here. i would encourage you not to do that.
the md5 password hack to protect tcp sessions is rapidly falling out
of favor for a number of reasons. among them:
1) it protects against a very limited "vulnerability". for operating
systems that stay up for reasonable periods of time, that generate
sufficiently random ISNs and that check for in-windowness of syns and
rsts, there is a very limited exposure.
2) the cure is worse than the disease:
a) many (all?) implementations of md5 protection of tcp expose
new, easy-to-exploit vulnerabilities in host OSes. md5 verification
is slow and done on a main processor of most routers. md5
verification typically takes places *before* the sequence number,
ports, and ip are checked to see whether they apply to a valid
session. as a result, you've exposed a trivial processor DOS to your
box.
b) coordination problems cause downtime. password
coordination problems are reported to be a major cause of downtime
among peers that i interact with. this downtime is costly and is much
greater than the downtime caused by the (theoretical and not actively
exploited) tcp "vulnerability"
i would encourage everyone to seriously rethink the routine use of MD5
passwords to protect BGP tcp sessions.
t.
--
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com www.renesys.com
