North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: protecting operational networks
Ran Atkinson wrote: > IMHO, any serious network operator using OSPF or BGP should > have already deployed the techniques below (as applicable): > OSPF with Keyed MD5 Authentication > BGP-4 with the Keyed MD5 Authentication extension > as a TCP option. Well, it does not protect against the threat #1 -- namely source of perfectly good-looking but bogus routes. In fact, cryptography is not the best (or most useful) solution for protecting routing infrastructure from barge-in attacks. The real solutuion is very simple -- the packets carrying routing data should _not_ be routable. ARP is a good example. Unfortunately the present braindeadedness of IGPs which makes kludges like iBGP hack necessary makes multihop routing of network control information inevitable. I would say we should concentrate on fixing the original problem, not trying to patch holes in the broken-as-designed architecture. > WRT ISIS, lack of a CLNP infrastructure limits the ability of > outsiders to attack a network. Nonetheless, ISIS should probably > also get some kind of cryptographic authentication extension. Heh. CLNP is quite widely routed. At some point it was very useful as a way to defeat access-filter based protection in ciscos (that was fixed, though). --vadim
|