North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: BCP38 making it work, solving problems
- From: JP Velders
- Date: Tue Oct 19 13:15:44 2004
> Date: Tue, 19 Oct 2004 09:21:46 -0700
> From: Randy Bush <firstname.lastname@example.org>
> Subject: Re: BCP38 making it work, solving problems
> > For example, how many ISPs use TCP MD5 to limit the possibility of a
> > BGP/TCP connection getting hijacked or disrupted by a ddos attack?
> i hope none use it for the latter, as it will not help. more and
> more use it for the former. why? becuase they perceived the need
> to solve an immediate problem, a weakness in a vendor's code.
Uhm, you might need to run that by me again...
Hijacking the connection is in a completely different class as someone
bombarding you with a bunch of forged BGP packets to close down a
session. Without that MD5 checksum you are quite vulnerable to that. I
haven't seen a vendor come up with a solution to that, because the
problem is on a much more vendor-neutral level...
PS: ofcourse that MD5 option also causes problems for peerings to come
back "up" again if you have to reboot/reload *without* properly
closing them... :( Hey, pro's and con's are part of the job ;)