North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: MD5 for TCP/BGP Sessions

  • From: Doug Legge
  • Date: Fri Apr 15 12:05:29 2005

I would like to take this opportunity to thank everyone at Nanog that has
assisted me in the completion of this paper. It's being submitted on Monday
and I will be sure to let you know how it goes

Once again - THANX

Doug
MDC Student
Kingston University
London /UK

-----Original Message-----
From: Doug Legge 
Sent: 30 March 2005 16:51
To: '[email protected]'
Subject: MD5 for TCP/BGP Sessions

NANOG,

I'm currently writing a paper for submission, as part of a MSc in Data
Communications, and would appreciate if anyone could update me as to the
implementation of MD5 for TCP authentication in BGP.

Following the alerts last year:
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00803be7
d9.shtml
http://www.foundrynet.com/solutions/security/TCP_Vulnerability_v1_3.pdf
http://www.kb.cert.org/vuls/id/415294
http://isc.sans.org/diary.php?date=2004-04-20

What has been the general effect in the ISP/Enterprise community following
the warnings?
- Have people applied MD5?
- If not what other technologies were implemented (IPSec AH transport mode
for BGP sessions/ACL/rate limiting etc)?
- Has there been any performance impacts seen since implementation?
- Has the support of the BGP environment been increased because of this
implementation (What policies regards changing the MD5 keys were
implemented)?
- Was this seen as a valid fix or a knee-jerk reaction (Having re-read the
exchanges on NANOG regards the actual mathematical probability of generating
this attack, what did the ISP community actually do (compared to what the
academic/vendor community were suggesting)?

Whilst I've had some response from bgp-info and bgp-security, it's not
really been sufficient to draw any real conclusions. From your knowledge and
experience are you aware, either internally or with customers the take up of
MD5 implementations and had anyone actually suffered an attack prior to
implementation

--------------------------------
Please do not supply confidential information or anything that would be
commercially sensitive, if you want to contact me off-line or from a private
account please do


Yours

Doug Legge
MDC Student
Kingston University
London /UK