mailing list archives
Re: What Worked - What Didn't
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 17 Sep 2001 15:00:21 -0400
At 02:46 PM 9/17/2001 -0400, Valdis.Kletnieks () vt edu wrote:
>On Mon, 17 Sep 2001 14:32:35 EDT, "Patrick W. Gilmore" <patrick () ianai net>
>> If someone can splice into my point-to-point OC system, fake being the
>> router on the other end, and keep my peer from calling me and asking what
>You *do* do ingress and egress filtering of your own addresses, and have
>that your router does in fact use cryptographically challenging seuquence
I do not do anything. I Am Not An Isp. :)
But when I did run a network, I did *NOT* ingress filter on my own address
space. I ran networks with multi-homed clients. If I did not allow my own
address space to be announced to me, I would not have been able to talk to
my multi-homed downstreams if their link to me was down. When a link to
your upstream is down and you cannot send mail to noc@ through your second
upstream, you tend to get a new upstream pretty quick.
I *ABSOLUTELY* believe in filtering customer announcements into my
backbone. Been a big proponent of it for many years. Search the archives.
As for "cryptographically challenging sequence numbers", well, no, I have
not inspected the code on any cisco or Juniper routers lately. Whatever
sequence numbers they use are the sequence numbers they use, and I ain't
gonna hack the code to change it.
>And even if you don't, using MD5 is not *that* expensive (or shouldn't be),
>and provides security in depth.
I do not *think* it would tax the CPU too much, but it has been at least 3
years since I have done it. IIRC, the CPU overhead was near nil.
And it only provides security for the BGP session, not "in depth". I am
not saying that is a bad thing, just mentioning the limitation.
>Unfortunately, I'll bet there's a LOT of routers that don't have filtering
>in place, don't have good sequence numbers, and don't use MD5. Enough
Actually, I am still not certain why it was said at all. There are far,
far more difficult hurdles to over come when spoofing a BGP session between
major carriers than the sequence numbers. And most people notice when a
major peer goes down, very, very quickly. MD5 or not.
In fact, I would wager that the misdirected traffic due to the added
configuration complexity (yes, one line, but trust me, it can be a bitch if
you forget the line, or forget the password) would far outweigh any savings
you got from stopping attacks.
But not way to tell for certain since this type of attack is practically
unheard of. (Or perhaps that is a way to tell? :)
> Valdis Kletnieks