Re: MD5 for TCP/BGP Sessions

["Stephen J. Wilcox" <steve () telecomplete co uk>]

without wishing to repeat what can be googled for.. putting acls on your edge to 
protect your ebgp sessions wont work for obvious reasons -- to spoof data and 
disrupt a session you have to spoof the srcip which of course the acl will allow 
in

Steve

On Thu, 31 Mar 2005, Pekka Savola wrote:

> On Wed, 30 Mar 2005, John Kristoff wrote:
> [on bgp/md5 and acl's]
> > ACLs are often used, but vary widely depending on organization.
> > It can be difficult to manage ACLs on a box with a large number
> > of peers that uses many local BGP peering addresses.  I'm sure
> > some organizations reviewed and updated their ACLs as a result
> > of the last scare, but that is a local, private decision and it
> > would probably be hard to get good sample of who and what changed.
>
> I would be double careful here, just to make sure everybody 
> understands what you're protecting.
>
> iBGP sessions?  ACLs are trivial if you have your borders secured.
>
> eBGP sessions?  GTSM is your friend (if supported).  Practically, if 
> you know your peer and you also protect your borders, ACLs are rather 
> trivial as well.
>
> What you seem to be saying is using ACLs to enumerate the valid 
> endpoints for eBGP sessions.  That goes further than the above but 
> indeed is also a pain to set up and maintain.
>
> There are other attacks you can make against TCP sessions (protected 
> by MD5 or not) using ICMP, though. (see 
> draft-gont-tcpm-icmp-attacks-03.txt).