[81665] in North American Network Operators' Group
Re: md5 for bgp tcp sessions
daemon@ATHENA.MIT.EDU (Todd Underwood)
Thu Jun 23 05:57:35 2005
Date: Thu, 23 Jun 2005 05:57:05 -0400
From: Todd Underwood <todd@renesys.com>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: nanog@merit.edu
In-Reply-To: <20050623041412.GY696@overlord.e-gerbil.net>
Errors-To: owner-nanog@merit.edu
ras, all,
On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote:
> On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote:
> > a) many (all?) implementations of md5 protection of tcp expose
> > new, easy-to-exploit vulnerabilities in host OSes. md5 verification
> > is slow and done on a main processor of most routers. md5
> > verification typically takes places *before* the sequence number,
> > ports, and ip are checked to see whether they apply to a valid
> > session. as a result, you've exposed a trivial processor DOS to your
> > box.
>
> Well, I think they've finally fixed this one by now, at least everyone
> that I'm aware of has done so. Immediately following the whining to start
> deploying MD5 is was certainly the case that many implementations did
> stupid stuff like process MD5 before running other validity checks like
> sequence numbers which are far less computationally intensive, and there
> were a few MSS bugs that popped up, but they should have all been worked
> out by now. I don't think that anyone running modern code is suffering any
> more attack potential because of this.
my understanding is that md5 is still checked before the ttl-hack
check takes place on cisco (and perhaps most router platforms). new
attack vector for less security than you had before. oh well. ras:
can you confirm that it is possible to implement ttl-hack and have it
check *before* md5 signature checks?
the chaos (and crappy quality of the implementations) during the panic
demonstrates two other things: rolling out magic code because your
vendor tells you to is a bad idea; slapping together a hack on top of
a well-designed protocol without careful thought and testing is a
terrible idea.
t.
--
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com www.renesys.com
