Home page logo

nanog logo nanog mailing list archives

Re: Security team successfully cracks SSL using 200 PS3's and MD5 flaw.
From: Nick Hilliard <nick () foobar org>
Date: Sat, 03 Jan 2009 18:41:04 +0000

Hank Nussbacher wrote:
You mean like for BGP neighbors?  Wanna suggest an alternative? :-)

tcp/md5 + gtsm (assuming directly connected peers) makes messing around
with bgp sessions rather difficult.  Filtering BGP packets at the edge and
borders slightly more so.  If you have CPU and sufficient quantities of
administrivium to spare, you can use ipsec on your routers for these sessions.

The real issue is how to make compromising bgp sessions sufficiently
difficult to make it an unattractive target.  Given that the cost of
getting write access to the DFZ is not really very high either technically
or financially, I'd propose that while gtsm / md5 / filtering aren't
perfect, they raise the bar high enough to make it not really worth
someone's while trying to break them; and IPsec more so.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]