North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Winstar says there is no TCP/BGP vulnerability
Michael Py wrote: > Christopher / Patrick, > > > Christopher L. Morrow wrote: > > I wasn't clear and for that I'm sorry. Except in the later > > code trains, or until the recent past (1 year or so) changing > > the BGP MD5 auth bits required the session to be reset. > > Then I'm the one sorry because I never got it to work (I have not tried > hard, I have to say); I always considered the session reset to be > annoyance that was part of life. Dumb question: on what platforms is > this working? If my memory is correct nothing below the 7200; I have > seen numerous cases of peering with platforms such as 3600. Have done around 100 of these in the past 24 hours. It's not related to platform AFAIK - we've successfully done the changes on a lowly 2651 and 3620 without outages, but a 7200 with older IOS did have an outage. As a general guideline 12.0S and 12.1 have the session reset on password change, but 12.2S, 12.3 and _latest_ 12.2 mainline do not. Older 12.2 mainline is unclear, I've had one case where the session did reset (12.2(17a)) and a few where it did not (12.2(23)), but I don't know for sure if the reset was caused by not getting the password close enough to the right time in the case it failed, or by IOS automatically resetting the session like it did in earlier versions. If you really want to know, test it in a lab. If setting a password results in a syslog message about the session being reset due to password change, then it will reset due to a password change :-) David.