North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: key change for TCP-MD5

  • From: David Barak
  • Date: Wed Jun 21 12:07:27 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=HU6q2zo/RJW1XQHjq6iWIs1Ua4H1Q5ln0u5HrwqnMikOu93qj8jEXNezJHwLtLJKx1mp7YNUmMtLXCd4wL5DL3dmZvSI/oHpa1pcOsYtbCS5jj20+TGlZyyw25k0t3FRJ49PQ7fPkFXWop9+0cszCGfGdQR7KyfJ15gJAp0Tj6E= ;

--- Ross Callon <[email protected]> wrote:

> Another potential attack is an attempt to insert
> information
> into a BGP session, such as to introduce bogus
> routes, or
> to even become a "man in the middle" of a BGP
> session. One
> issue that worries me about this is that if this
> allows routing to
> be compromised, then I can figure out how to make
> money off
> of this (and if I can think of it, someone even
> nastier will probably
> also think of this). Of course this would be much
> more difficult to
> pull off, and might require viewing packets between
> routers to pull
> off, but if pulled off and not quickly detected
> could be unfortunate.

But it's safe to say that it would be a lot easier to
crack a router itself than to unobtrusively insert
useful false information, or if the ISP's routers are
sufficiently hardened, it would be easier to crack a
customer (or peer)'s router, and use that for the

The same mechanisa which can detect bogus prefixes
from a peer/customer can detect them from a hijacked
session.  The cost/benefit ratio is better for
securing the routers themselves.


David Barak
Need Geek Rock?  Try The Franchise:

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around