RE: TCP/BGP vulnerability - easier than you think

["Michel Py" <michel () arneill-py sacramento ca us>]

> Adam Rothschild wrote:
> Which begs the question, what is one to do, shy of
> moving (private) peering/transit/customer /31's and
> /30's into non-routable IP space, which opens up an
> entirely new can of worms?

Insist that the peer uses "ip verify unicast reverse-path" on all
interfaces, or similar command for other vendors.

> Fact of the matter is, MD5 computation/verification
> is not cheap, and many Cisco and Juniper platforms
> aren't designed to handle a barrage of MD5-hashed
> TCP packets. All things considered, I think MD5
> authentication will lower the bar for attackers, not
> raise it.  I'm sure code optimizations could fix
> things to some degree, but that's just not the case
> today.

Certainly the best reason not to MD5 I have heard so far.


> Mikael Abrahamsson wrote:
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml
> This one seems much worse than the TCP RST problem.

Relatively easy to filter though.

Michel.