North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: MD5 in BGP4
> It's is a kind of useless things. If you allow spoofing., > you are voluranable to the DoS attacks against BGP; if you > are not, no need to use MD5 for BGP. Actually, I can think of more than a few configurations where this isn't true. For example, shared-media exchange points where multiple networks reside on a single segment and eBGP peer using the address of the segment. The IP network number is associated only with the interface, there's no individual hardware/IP address relationship relative to anti-spoofing here. > And DoS attack is the reality, not BGP spoofings (may be > you know any such case? I do not know any). Agreed, it's purpose is more so to protect against DoS type stuff at the TCP layer. > For IS-IS and OSPF, just other matter. They are working > over the LAN, and customers and internal users are often > plugged into this network. So, authentication is necessary > to prevent both errors and intrusions (and the anty-error > measures are much more inmportant in such networks). However, I think we'd both agree that a configuration such as this (IGP being enabled on customer facing interfaces) is ill-advised. > Just again, I know a lot of cases when IGP was broken > by error (someone installed new server and turned OSPF > on), but I does not know any attacks of this kind (but > I believe there are such cases for IGP protocols). Throgh, > to defent against such attacks originated from IGP, you > need a lot of things be used (non Redirect, static ARYP, > etc etc). Agreed. -danny
|