North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: TCP/BGP vulnerability - easier than you think
> Adam Rothschild wrote: > Which begs the question, what is one to do, shy of > moving (private) peering/transit/customer /31's and > /30's into non-routable IP space, which opens up an > entirely new can of worms? Insist that the peer uses "ip verify unicast reverse-path" on all interfaces, or similar command for other vendors. > Fact of the matter is, MD5 computation/verification > is not cheap, and many Cisco and Juniper platforms > aren't designed to handle a barrage of MD5-hashed > TCP packets. All things considered, I think MD5 > authentication will lower the bar for attackers, not > raise it. I'm sure code optimizations could fix > things to some degree, but that's just not the case > today. Certainly the best reason not to MD5 I have heard so far. > Mikael Abrahamsson wrote: > http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml > This one seems much worse than the TCP RST problem. Relatively easy to filter though. Michel.
|