[81690] in North American Network Operators' Group
Re: md5 for bgp tcp sessions
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Jun 23 11:24:19 2005
Date: Thu, 23 Jun 2005 11:23:53 -0400
From: Jared Mauch <jared@puck.nether.net>
To: Todd Underwood <todd@renesys.com>
Cc: "Hannigan, Martin" <hannigan@verisign.com>,
Richard A Steenbergen <ras@e-gerbil.net>, nanog@merit.edu
In-Reply-To: <20050623142749.GE25623@renesys.com>
Errors-To: owner-nanog@merit.edu
On Thu, Jun 23, 2005 at 10:27:49AM -0400, Todd Underwood wrote:
>
> marty,
>
> On Thu, Jun 23, 2005 at 10:22:07AM -0400, Hannigan, Martin wrote:
> > > rolling out magic code because your
> > > vendor tells you to is a bad idea;
> >
> > That's mostly the result of the calamitous failure in vulnerability
> > release methodology, not Operator stupidity.
>
> totally agreed. vendors c, j and several others should be *ashamed*
> of the way that they handled and continue to handle this issue: they
Hmm, Do you mean NISCC? I think they were
driving the issue:
http://www.uniras.gov.uk/niscc/docs/al-20040420-00199.html?lang=en
> have yet to admit that they raised a panic (in secret, with no facts,
> so that they could not be refuted) over a basic fact of the way tcp
> works, creating outages and instability to fix a non-problem.
>
> operators in those circumstances had little choice but to roll out
> "critical security fixes", but i think we all deserve an apology, an
> explanation and a commitment to do better in the future.
Come on folks, this was over a year ago, we've all grown
some (well, at least older) and hopefully wiser in how to handle
these situations as they come up.
I suspect the vendors, NISCC/UNIRAS, and various global CERTs
have been learning from these events, but it was awhile ago so take
the lesson and move on.
- Jared
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
