[81661] in North American Network Operators' Group
Re: md5 for bgp tcp sessions
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Thu Jun 23 00:43:32 2005
In-Reply-To: <20050623041412.GY696@overlord.e-gerbil.net>
Cc: "Patrick W. Gilmore" <patrick@ianai.net>
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Thu, 23 Jun 2005 00:32:27 -0400
To: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Jun 23, 2005, at 12:14 AM, Richard A Steenbergen wrote:
> Just please realize that this is a trivial layer of security, an extra
> little bit of insurance to make it harder to alter the packets in
> flight
> or screw with the delivery protocol, and as such the key is not a
> state
> secret. I am going to seriously hurt the next person who wants to
> exchange
> phone numbers via pgp encrypted email so that we can have a conference
> call to set up a meeting where we can whisper MD5 keys to each
> other in
> pig latin while standing under the god damned cone of silence and then
> shoot the engineers who configured it on the router afterwards.
It's not just trivial, it's nearly useless.
Would someone please raise their hand if they have ever seen this
attack in the wild? Anyone?
Seems the TTL hack is much more effective at guarding against this
sort of thing, doesn't require "secrets", far less CPU intensive,
easier to configure, etc., etc., etc.
Want security? I suggest you use something that has more benefit
than cost.
--
TTFN,
patrick
