North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP38 making it work, solving problems
> Date: Tue, 19 Oct 2004 09:21:46 -0700 > From: Randy Bush <[email protected]> > Subject: Re: BCP38 making it work, solving problems > > For example, how many ISPs use TCP MD5 to limit the possibility of a > > BGP/TCP connection getting hijacked or disrupted by a ddos attack? > i hope none use it for the latter, as it will not help. more and > more use it for the former. why? becuase they perceived the need > to solve an immediate problem, a weakness in a vendor's code. Uhm, you might need to run that by me again... Hijacking the connection is in a completely different class as someone bombarding you with a bunch of forged BGP packets to close down a session. Without that MD5 checksum you are quite vulnerable to that. I haven't seen a vendor come up with a solution to that, because the problem is on a much more vendor-neutral level... Regards, JP Velders PS: ofcourse that MD5 option also causes problems for peerings to come back "up" again if you have to reboot/reload *without* properly closing them... :( Hey, pro's and con's are part of the job ;)
|