North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Winstar says there is no TCP/BGP vulnerability

  • From: Patrick W.Gilmore
  • Date: Wed Apr 21 01:08:13 2004

On Apr 21, 2004, at 12:11 AM, Rob Thomas wrote:

] Actual data: Over the past three plus years an organization with on the
] order of a dozen MD5-ized BGP sessions has has multiple down sessions
] due to, for instance, a peer doing standard (for them) password
] rotation and forgetting to inform the organization.

Yep, that's a problem - a PROCESS problem. The definition of insanity
is repeating the same behavior over and over and expecting a different
result. ;)
So you think continuing to use MD5 and not see down sessions due to lost passwords would be insane?

Also, PROCESSES are part of running a network. As any large network provider, they will tell you the process of keeping the network up costs more than the fiber the network runs on. In fact, operational support and complexity is one of the main reasons large networks give for not peering with other networks.


Saying that we've not seen any RST attacks may be correct, but it's
not a predictor of future activity.  No one can do more than model
what may come next.  Prior to February 2001 no one had seen massive
DDoS either.  Anyone still think DDoS isn't a problem?
Of course not. But I also see a reason to do DDoS attacks.

Rob, you are the biggest proponent of the underground economy I have ever seen. Tell me why a miscreant would waste his time - at *least* 30 minutes (lowest report I've seen, and possibly hours or days) - trying to reset a BGP session when with less effort they could take down an entire router?

I can come up with reasons, but they are pretty few and far between, especially compared with reasons to take out a whole router.

Can you tell me why these miscreants - people who are lazy just like us - would not rather packet the router off the 'Net than do this slow, possibly useless exercise?


We manage well over 150 peering sessions with MD5 passwords in place.
This includes bogon peering, route-server peering, and production
traffic peering.  This has grown over the past three years.  The total
number of MD5-related outages:  zero.

In other words, your mileage may vary.  :)
Awesome news. And your milage *will* vary, since you cannot control separate organizations.

--
TTFN,
patrick