North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

md5 for bgp tcp sessions

  • From: Todd Underwood
  • Date: Wed Jun 22 22:05:33 2005

eric, all,

not to pick on eric at all, but since he raised the issue...

On Wed, Jun 22, 2005 at 11:42:46AM -0400, Eric Gauthier wrote:

> likely need to make modifications to our IGP/EGP setup.  Though we filter 
> OSPF multicast traffic, we wanted to add in MD5 passwords to our
> neighbors.

just a quick comment here.  i would encourage you not to do that.  

the md5 password hack to protect tcp sessions is rapidly falling out
of favor for a number of reasons.  among them:

1) it protects against a very limited "vulnerability".  for operating
systems that stay up for reasonable periods of time, that generate
sufficiently random ISNs and that check for in-windowness of syns and
rsts, there is a very limited exposure.

2) the cure is worse than the disease:
	
	a) many (all?) implementations of md5 protection of tcp expose
new, easy-to-exploit vulnerabilities in host OSes.  md5 verification
is slow and done on a main processor of most routers.  md5
verification typically takes places *before* the sequence number,
ports, and ip are checked to see whether they apply to a valid
session.  as a result, you've exposed a trivial processor DOS to your
box.  
	b) coordination problems cause downtime.  password
coordination problems are reported to be a major cause of downtime
among peers that i interact with.  this downtime is costly and is much
greater than the downtime caused by the (theoretical and not actively
exploited) tcp "vulnerability"

i would encourage everyone to seriously rethink the routine use of MD5
passwords to protect BGP tcp sessions.

t.

-- 
_____________________________________________________________________
todd underwood
director of operations & security
renesys - interdomain intelligence
todd@renesys.com   www.renesys.com