Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: md5 for bgp tcp sessions

  • From: Jared Mauch
  • Date: Thu Jun 23 11:24:56 2005

On Thu, Jun 23, 2005 at 10:27:49AM -0400, Todd Underwood wrote:
> 
> marty,
> 
> On Thu, Jun 23, 2005 at 10:22:07AM -0400, Hannigan, Martin wrote:
> > > rolling out magic code because your
> > > vendor tells you to is a bad idea;  
> > 
> > That's mostly the result of the calamitous failure in vulnerability 
> > release methodology, not Operator stupidity. 
> 
> totally agreed.  vendors c, j and several others should be *ashamed*
> of the way that they handled and continue to handle this issue: they

	Hmm, Do you mean NISCC?  I think they were
driving the issue:

http://www.uniras.gov.uk/niscc/docs/al-20040420-00199.html?lang=en

> have yet to admit that they raised a panic (in secret, with no facts,
> so that they could not be refuted) over a basic fact of the way tcp
> works, creating outages and instability to fix a non-problem.
> 
> operators in those circumstances had little choice but to roll out
> "critical security fixes", but i think we all deserve an apology, an
> explanation and a commitment to do better in the future.

	Come on folks, this was over a year ago, we've all grown
some (well, at least older) and hopefully wiser in how to handle
these situations as they come up.

	I suspect the vendors, NISCC/UNIRAS, and various global CERTs
have been learning from these events, but it was awhile ago so take
the lesson and move on.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared@puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.