North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BCP38 making it work, solving problems

  • From: JP Velders
  • Date: Tue Oct 19 13:15:44 2004

> Date: Tue, 19 Oct 2004 09:21:46 -0700
> From: Randy Bush <[email protected]>
> Subject: Re: BCP38 making it work, solving problems

> > For example, how many ISPs use TCP MD5 to limit the possibility of a
> > BGP/TCP connection getting hijacked or disrupted by a ddos attack?

> i hope none use it for the latter, as it will not help.  more and
> more use it for the former.  why?  becuase they perceived the need
> to solve an immediate problem, a weakness in a vendor's code.

Uhm, you might need to run that by me again...

Hijacking the connection is in a completely different class as someone
bombarding you with a bunch of forged BGP packets to close down a
session. Without that MD5 checksum you are quite vulnerable to that. I
haven't seen a vendor come up with a solution to that, because the
problem is on a much more vendor-neutral level...

JP Velders

PS: ofcourse that MD5 option also causes problems for peerings to come
    back "up" again if you have to reboot/reload *without* properly
    closing them... :( Hey, pro's and con's are part of the job ;)