North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What Worked - What Didn't

  • From: Patrick W. Gilmore
  • Date: Mon Sep 17 15:04:37 2001


At 02:46 PM 9/17/2001 -0400, [email protected] wrote:
>On Mon, 17 Sep 2001 14:32:35 EDT, "Patrick W. Gilmore" <[email protected]>
>said:
>> If someone can splice into my point-to-point OC system, fake being the
>> router on the other end, and keep my peer from calling me and asking what
>
>You *do* do ingress and egress filtering of your own addresses, and have
>checked
>that your router does in fact use cryptographically challenging seuquence
>numbers, right?

I do not do anything. I Am Not An Isp. :)

But when I did run a network, I did *NOT* ingress filter on my own address space. I ran networks with multi-homed clients. If I did not allow my own address space to be announced to me, I would not have been able to talk to my multi-homed downstreams if their link to me was down. When a link to your upstream is down and you cannot send mail to [email protected] through your second upstream, you tend to get a new upstream pretty quick.

I *ABSOLUTELY* believe in filtering customer announcements into my backbone. Been a big proponent of it for many years. Search the archives.


As for "cryptographically challenging sequence numbers", well, no, I have not inspected the code on any cisco or Juniper routers lately. Whatever sequence numbers they use are the sequence numbers they use, and I ain't gonna hack the code to change it.


>And even if you don't, using MD5 is not *that* expensive (or shouldn't be),
>and provides security in depth.

I do not *think* it would tax the CPU too much, but it has been at least 3 years since I have done it. IIRC, the CPU overhead was near nil.

And it only provides security for the BGP session, not "in depth". I am not saying that is a bad thing, just mentioning the limitation.


>Unfortunately, I'll bet there's a LOT of routers that don't have filtering
>in place, don't have good sequence numbers, and don't use MD5. Enough said...

Actually, I am still not certain why it was said at all. There are far, far more difficult hurdles to over come when spoofing a BGP session between major carriers than the sequence numbers. And most people notice when a major peer goes down, very, very quickly. MD5 or not.


In fact, I would wager that the misdirected traffic due to the added configuration complexity (yes, one line, but trust me, it can be a bitch if you forget the line, or forget the password) would far outweigh any savings you got from stopping attacks.

But not way to tell for certain since this type of attack is practically unheard of. (Or perhaps that is a way to tell? :)


> Valdis Kletnieks

--
TTFN,
patrick