North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Winstar says there is no TCP/BGP vulnerability
Patrick / Christopher, >> Michel Py wrote: >> Please forgive me if I'm naive and/or ask a stupid question, >> but is there any reason (besides your platform not supporting >> it) _not_ to MD5 your BGP sessions? Geez, on my _home_ router >> all my v4 BGP sessions are MD5ed (v6 not there yet). > Patrick W.Gilmore wrote: > There is serious operational overhead in maintaining sync'ed > passwords between separate organizations. IOW: Eventually > someone will screw up and lose the password. > [large snip] Thanks for the insight. I have an even dumber question: Context: set aside the MD5, the way I configure BGP sessions/traffic from/to peers is as follows: a) A generic (configured in the peer-group) route-map to filter the routes I announce to the peer to be only my blocks. b) A specific-to-the-peer route-map to filter the routes I receive from the peer to the peer's blocks, as agreed in the beer drinking meeting ^H^H^H^H BLPA. This route map is not entirely specific, as I also put in stuff such as deny RFC1918 routes ;-) c) A generic access-list filtering ingress traffic from the peer to me to allow only traffic which DA is mine. (cracks me up if the peer sets a default to me :-) d) A generic access-list filtering egress traffic from me to the peer to allow only traffic which SA is mine. Now, the dumb question: Given: 1) The context above especially item b 2) Christopher Morrow's comments below Explain me what having or not having the MD5 password changes. Either you're small and/or stupid and do it manually, or you have an automated system that does it for you. > Christopher L. Morrow wrote: > there is the issue of changing the keys during operations > without impacting the network, eh? Having to bounce every > bgp session in your network can be pretty darned painful... > if you change the key(s) of course. See above: Changing the route-map is equally painful. > If you don't you might as well not have keys, since adding > the 3 lines of C code required to Paul Watsons' program > making it do the hashing certainly won't be a big deal, eh? I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below "enable-password 7 " for each peer (which requires recompiling, how annoying) would you care sharing the 3 said lines for the code below :-) Michel. #include <stdio.h> #include <ctype.h> char xlat[] = { 0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e, 0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44 }; char pw_str1[] = "password 7 "; char pw_str2[] = "enable-password 7 "; char *pname; cdecrypt(enc_pw, dec_pw) char *enc_pw; char *dec_pw; { unsigned int seed, i, val = 0; if(strlen(enc_pw) & 1) return(-1); seed = (enc_pw[0] - '0') * 10 + enc_pw[1] - '0'; if (seed > 15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1])) return(-1); for (i = 2 ; i <= strlen(enc_pw); i++) { if(i !=2 && !(i & 1)) { dec_pw[i / 2 - 2] = val ^ xlat[seed++]; val = 0; } val *= 16; if(isdigit(enc_pw[i] = toupper(enc_pw[i]))) { val += enc_pw[i] - '0'; continue; } if(enc_pw[i] >= 'A' && enc_pw[i] <= 'F') { val += enc_pw[i] - 'A' + 10; continue; } if(strlen(enc_pw) != i) return(-1); } dec_pw[++i / 2] = 0; return(0); } usage() { fprintf(stdout, "Usage: %s -p <encrypted password>\n", pname); fprintf(stdout, " %s <router config file> <output file>\n", pname); return(0); } main(argc,argv) int argc; char **argv; { FILE *in = stdin, *out = stdout; char line[257]; char passwd[65]; unsigned int i, pw_pos; pname = argv[0]; if(argc > 1) { if(argc > 3) { usage(); exit(1); } if(argv[1][0] == '-') { switch(argv[1][1]) { case 'h': usage(); break; case 'p': if(cdecrypt(argv[2], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } fprintf(stdout, "password: %s\n", passwd); break; default: fprintf(stderr, "%s: unknow option.", pname); } return(0); } if((in = fopen(argv[1], "rt")) == NULL) exit(1); if(argc > 2) if((out = fopen(argv[2], "wt")) == NULL) exit(1); } while(1) { for(i = 0; i < 256; i++) { if((line[i] = fgetc(in)) == EOF) { if(i) break; fclose(in); fclose(out); return(0); } if(line[i] == '\r') i--; if(line[i] == '\n') break; } pw_pos = 0; line[i] = 0; if(!strncmp(line, pw_str1, strlen(pw_str1))) pw_pos = strlen(pw_str1); if(!strncmp(line, pw_str2, strlen(pw_str2))) pw_pos = strlen(pw_str2); if(!pw_pos) { fprintf(stdout, "%s\n", line); continue; } if(cdecrypt(&line[pw_pos], passwd)) { fprintf(stderr, "Error.\n"); exit(1); } else { if(pw_pos == strlen(pw_str1)) fprintf(out, "%s", pw_str1); else fprintf(out, "%s", pw_str2); fprintf(out, "%s\n", passwd); } } }
|