North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Winstar says there is no TCP/BGP vulnerability

  • From: Christopher L. Morrow
  • Date: Wed Apr 21 01:18:20 2004

On Tue, 20 Apr 2004, Michel Py wrote:

> Now, the dumb question:
> Given:
> 1) The context above especially item b
> 2) Christopher Morrow's comments below
> Explain me what having or not having the MD5 password changes. Either
> you're small and/or stupid and do it manually, or you have an automated
> system that does it for you.

I wasn't clear and for that I'm sorry. Except in the later code trains, or
until the recent past (1 year or so) changing the BGP MD5 auth bits
required the session to be reset. Changing your route-map or access-list
or prefix-list will not reset the session... Having to reset sessions to
change 'vital' security parameters seems like a large problem.

So, given this operational headache MD5 auth just doesn't get rolled out,
or when it does, sessions never get their auth info changed. (in practice)
Atleast in more current code and now in 12.0.SOMETHING-S code you can both
change on the fly and have 'fall back' key capability. This makes this
pain less and makes operational pain with md5 less as well.

>
>
> > Christopher L. Morrow wrote:
> > there is the issue of changing the keys during operations
> > without impacting the network, eh? Having to bounce every
> > bgp session in your network can be pretty darned painful...
> > if you change the key(s) of course.
>
> See above: Changing the route-map is equally painful.
>

no, removing a route-map or adding a new one is painful, changing it is
just normal, no bounce required.

> > If you don't you might as well not have keys, since adding
> > the 3 lines of C code required to Paul Watsons' program
> > making it do the hashing certainly won't be a big deal, eh?
>
> I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below

me too, I'm a chemical engineer... :)

> "enable-password 7 " for each peer (which requires recompiling, how
> annoying) would you care sharing the 3 said lines for the code below :-)
>

wrong program, I was referring to his reset_tcp.c program, which would
only need:
1) your key as a input in argv
2) the requisite option added to the tcp header
3) the hash function applied to the resultant packet before
generation and output.

so, 3 pseudo-code lines... my point here is that the MD5 auth is only as
good as your passwd security, and change procedures. Remember that once
you put the passwd in the config it's exposed and the next NOC engineer
that leaves will have a copy emailed to his home email account before he
stomps out :(