North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: md5 for bgp tcp sessions

  • From: Barry Greene (bgreene)
  • Date: Thu Jun 23 10:19:31 2005


> my understanding is that md5 is still checked before the 
> ttl-hack check takes place on cisco (and perhaps most router 
> platforms).  new attack vector for less security than you had 
> before.  oh well.  ras:
> can you confirm that it is possible to implement ttl-hack and 
> have it check *before* md5 signature checks?

You do not have a correct understanding of how GPTM is suppose to work.
If you can, you need to do this check as close to the punt out of the
data plane as possible. Optimally in the ASIC (if the ASIC can be coded
to do a TTL check). On Cisco gear we're coding from inside out - doing
GPTM in the routing code (BGP) - then in the receive path wrapper (rACL
and CoPP) - then in the ASIC raw queue (if it can) - then in the ASIC's
receive path primitives. The GPTM was all about dropping the packet
before they got near the route process. 

If you want more details, let me know and I'll send them privately.