North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: md5 for bgp tcp sessions
On Thu, Jun 23, 2005 at 05:57:05AM -0400, Todd Underwood wrote: > > ras, all, > > On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote: > > On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote: > > > > a) many (all?) implementations of md5 protection of tcp expose > > > new, easy-to-exploit vulnerabilities in host OSes. md5 verification > > > is slow and done on a main processor of most routers. md5 > > > verification typically takes places *before* the sequence number, > > > ports, and ip are checked to see whether they apply to a valid > > > session. as a result, you've exposed a trivial processor DOS to your > > > box. > > > > Well, I think they've finally fixed this one by now, at least everyone > > that I'm aware of has done so. Immediately following the whining to start > > deploying MD5 is was certainly the case that many implementations did > > stupid stuff like process MD5 before running other validity checks like > > sequence numbers which are far less computationally intensive, and there > > were a few MSS bugs that popped up, but they should have all been worked > > out by now. I don't think that anyone running modern code is suffering any > > more attack potential because of this. > > my understanding is that md5 is still checked before the ttl-hack > check takes place on cisco (and perhaps most router platforms). new > attack vector for less security than you had before. oh well. ras: > can you confirm that it is possible to implement ttl-hack and have it > check *before* md5 signature checks? Last I knew there was still a bug open on this that has gotten little/no action for at least half a year on this issue, I would think that in 6mos someone at Cisco could take the time to research the bug and fix it. (I'll leave out the part about releasing TAC supported code with a fix). I believe the bugid is CSCee73956 - Jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.