North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: MD5 in BGP4

  • From: Sean Donelan
  • Date: Wed Jul 12 13:36:14 2000

On Wed, 12 July 2000, Danny McPherson wrote:
> The primary goal of the BGP MD5 signature option is 
> to protect the TCP substrate from introduction of 
> spoofed TCP segments such a TCP RSTs.  These segments
> could easily be injected from anywhere on the Internet.

BGP MD5 signatures do not protect the TCP/IP stream from
spoofed TCP RSTs.  The MD5 signature is checked at the
BGP application layer after passing through and being
acted on by the TCP stack.  You can play all sorts of
MAC, ARP, ICMP, IP and TCP games with the stream which
MD5 won't prevent.

Why we haven't seen more of these attacks I don't know for
sure.