North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Winstar says there is no TCP/BGP vulnerability

  • From: Rob Thomas
  • Date: Wed Apr 21 00:13:53 2004

Hi, NANOGers.

] Actual data: Over the past three plus years an organization with on the
] order of a dozen MD5-ized BGP sessions has has multiple down sessions
] due to, for instance, a peer doing standard (for them) password
] rotation and forgetting to inform the organization.

Yep, that's a problem - a PROCESS problem.  The definition of insanity
is repeating the same behavior over and over and expecting a different
result.  ;)

Saying that we've not seen any RST attacks may be correct, but it's
not a predictor of future activity.  No one can do more than model
what may come next.  Prior to February 2001 no one had seen massive
DDoS either.  Anyone still think DDoS isn't a problem?

We manage well over 150 peering sessions with MD5 passwords in place.
This includes bogon peering, route-server peering, and production
traffic peering.  This has grown over the past three years.  The total
number of MD5-related outages:  zero.

In other words, your mileage may vary.  :)

Test any feature.  Think about how to manage that feature, both in the
deployment stage and in steady-state.  I don't advocate the use of any
feature, be it MD5, MPLS, et al. without careful consideration of the
support ramifications of it.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);