North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: MD5 for TCP/BGP Sessions

  • From: Christopher L. Morrow
  • Date: Wed Mar 30 19:12:40 2005

> On Thu, 31 Mar 2005, Pekka Savola wrote:
>
> >
> > On Wed, 30 Mar 2005, John Kristoff wrote:
> > [on bgp/md5 and acl's]
> > > ACLs are often used, but vary widely depending on organization.

(and equipment in use)

> > > It can be difficult to manage ACLs on a box with a large number
> > > of peers that uses many local BGP peering addresses.  I'm sure

provided your gear supports it an acl (this is one reason layered acls
would be nice on routers) per peer with:
permit /30 eq 179 /30
permit /30 /30 eq 179
deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
Quinn at cisco says: "Infrastructure ip space")

no more traffic to the peer except BGP from the peer /30. No more ping, no
more traceroute of interface... (downsides perhaps?) and the 'customer'
can still DoS himself :( (or his compromised machine can DoS him)

> > > some organizations reviewed and updated their ACLs as a result
> > > of the last scare, but that is a local, private decision and it
> > > would probably be hard to get good sample of who and what changed.
> >

some people still use 'cisco' for their password, even on non-cisco
platforms :( this md5 discussion isn't the only security problem :(

> > I would be double careful here, just to make sure everybody
> > understands what you're protecting.
> >
> > iBGP sessions?  ACLs are trivial if you have your borders secured.
> >

ibgp, provided your infrastructure space is seperate from 'customer' space
is simpler... but keep in mind the possible downsides (no ping, no
traceroute, harder troubleshooting for the customers, perhaps)

> > eBGP sessions?  GTSM is your friend (if supported).  Practically, if
> > you know your peer and you also protect your borders, ACLs are rather
> > trivial as well.
> >

borders, for some folks, are wide, varied and complex :( So, for some
folks with limited border size/breadth making these things trivial is, of
course, easy.

> > What you seem to be saying is using ACLs to enumerate the valid
> > endpoints for eBGP sessions.  That goes further than the above but
> > indeed is also a pain to set up and maintain.
> >

and impossible to implement on some hardware. Note: Some/all of that
hardware is going away as time makes it fade into the background...
sometimes not fast enough though.

-Chris