nanog mailing list archives
RE: TCP/BGP vulnerability - easier than you think
From: "Michel Py" <michel () arneill-py sacramento ca us>
Date: Wed, 21 Apr 2004 07:35:27 -0700
Adam Rothschild wrote: Which begs the question, what is one to do, shy of moving (private) peering/transit/customer /31's and /30's into non-routable IP space, which opens up an entirely new can of worms?
Insist that the peer uses "ip verify unicast reverse-path" on all interfaces, or similar command for other vendors.
Fact of the matter is, MD5 computation/verification is not cheap, and many Cisco and Juniper platforms aren't designed to handle a barrage of MD5-hashed TCP packets. All things considered, I think MD5 authentication will lower the bar for attackers, not raise it. I'm sure code optimizations could fix things to some degree, but that's just not the case today.
Certainly the best reason not to MD5 I have heard so far.
Mikael Abrahamsson wrote: http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml This one seems much worse than the TCP RST problem.
Relatively easy to filter though. Michel.
Current thread:
- RE: TCP/BGP vulnerability - easier than you think Michel Py (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Adam Rothschild (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Aditya (Apr 21)
- <Possible follow-ups>
- RE: TCP/BGP vulnerability - easier than you think Michel Py (Apr 21)
- asymmetric/peer RPF [RE: TCP/BGP vulnerability - easier than you think] Pekka Savola (Apr 21)