The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2005-Mar> msg00033



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

MD5 for TCP/BGP Sessions

  • From: Doug Legge <Doug.Legge@BerkeleyGroup.co.uk>
  • Date: Thu, 31 Mar 2005 08:02:18 +0100
  • Resent-Date: Thu, 31 Mar 2005 02:03:30 -0500
  • X-Scanned-By: MIMEDefang 2.45
  • X-SEF-2724C71B-6699-4336-99C5-34E79D7D15E: 1

I'm currently writing a paper for submission, as part of a MSc in Data
Communications, and would appreciate if anyone could update me as to the
implementation of MD5 for TCP authentication in BGP, particularly in
relation to iBGP/eBGP and MPLS.

Following the alerts last year:
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
http://www.cisco.com/en/US/products/products_security_advisory09186a00803be7
d9.shtml
http://www.foundrynet.com/solutions/security/TCP_Vulnerability_v1_3.pdf
http://www.kb.cert.org/vuls/id/415294
http://isc.sans.org/diary.php?date=2004-04-20

What has been the general effect in the ISP/Enterprise community following
the warnings?
- Have people applied MD5?
- If not what other technologies were implemented (IPSec AH transport mode
for BGP sessions/ACL/rate limiting etc)?
- Has there been any performance impacts seen since implementation?
- Has the support of the BGP environment been increased because of this
implementation (What policies regards changing the MD5 keys were
implemented)?
- Was this seen as a valid fix or a knee-jerk reaction (Having re-read the
exchanges on NANOG regards the actual mathematical probability of generating
this attack, what did the ISP community actually do (compared to what the
academic/vendor community were suggesting)?

Whilst I've had some response from bgp-info and bgp-security, it's not
really been sufficient to draw any real conclusions. From your knowledge and
experience are you aware, either internally or with customers the take up of
MD5 implementations and had anyone actually suffered an attack prior to
implementation

--------------------------------
Please do not supply confidential information or anything that would be
commercially sensitive, if you want to contact me off-line or from a private
account please do


Yours

Doug Legge
MDC Student
Kingston University
London /UK

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml

MPLScon 2005 - May 16-19, NYC, NY
http://www.mplscon.com/