North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: Ross Callon
  • Date: Wed Jun 21 10:57:30 2006

At 07:29 PM 6/20/2006 -0400, Richard A Steenbergen wrote:
On Tue, Jun 20, 2006 at 05:06:27PM -0400, Ross Callon wrote:
...I'd still like someone to explain why we're wasting man hours, CPU time,
filling up our router logs, and potentially making DoS easier, for an
attack that doesn't exist....
I think that it does make sense to be clear what attack
or set of attacks we are trying to protect against.

One type of attack is the TCP reset attack. I personally don't
have a strong opinion regarding whether it is worth protecting
against only this attack.

Another potential attack is an attempt to insert information
into a BGP session, such as to introduce bogus routes, or
to even become a "man in the middle" of a BGP session. One
issue that worries me about this is that if this allows routing to
be compromised, then I can figure out how to make money off
of this (and if I can think of it, someone even nastier will probably
also think of this). Of course this would be much more difficult to
pull off, and might require viewing packets between routers to pull
off, but if pulled off and not quickly detected could be unfortunate.