Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BCP38 making it work, solving problems

  • From: JP Velders
  • Date: Tue Oct 19 13:15:44 2004


> Date: Tue, 19 Oct 2004 09:21:46 -0700
> From: Randy Bush <randy@psg.com>
> Subject: Re: BCP38 making it work, solving problems

> > For example, how many ISPs use TCP MD5 to limit the possibility of a
> > BGP/TCP connection getting hijacked or disrupted by a ddos attack?

> i hope none use it for the latter, as it will not help.  more and
> more use it for the former.  why?  becuase they perceived the need
> to solve an immediate problem, a weakness in a vendor's code.

Uhm, you might need to run that by me again...

Hijacking the connection is in a completely different class as someone
bombarding you with a bunch of forged BGP packets to close down a
session. Without that MD5 checksum you are quite vulnerable to that. I
haven't seen a vendor come up with a solution to that, because the
problem is on a much more vendor-neutral level...

Regards,
JP Velders

PS: ofcourse that MD5 option also causes problems for peerings to come
    back "up" again if you have to reboot/reload *without* properly
    closing them... :( Hey, pro's and con's are part of the job ;)




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.