RE: key change for TCP-MD5
Another potential attack is an attempt to insert information into a BGP session, such as to introduce bogus routes, or to even become a "man in the middle" of a BGP session. One issue that worries me about this is that if this allows routing to be compromised, then I can figure out how to make money off of this (and if I can think of it, someone even nastier will probably also think of this). Of course this would be much more difficult to pull off, and might require viewing packets between routers to pull off, but if pulled off and not quickly detected could be unfortunate.
Ross
This one is hard to pull off. I think the general conclusion a couple years ago in the study that Sean Convery and Matt Franz did was that it was less work to try to own the router or buy your own AS ;) Bora
This one is hard to pull off. I think the general conclusion a couple years ago in the study that Sean Convery and Matt Franz did was that it was less work to try to own the router or buy your own AS ;)
this is the "you don't have to run faster than the lion, you just have to run faster than your friend," theory. as those who survived to report are a biased sample, it is not well tested. black hats are opportunistic, but not lazy. they look for cracks with mamzing diligence. e.g the recent brilliant post on cracking the xbox <http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System>. when low-hanging fruit is unavailable, or when they see a really cool way to exploit the higher fruit, it would be prudent to have done something about it. who cares about openly recursive dns servers? there are easier ways to crack the host. oops! unfortunately, this is not just theory. few talk about the serious routing attacks that have been seen. randy
On Wed, Jun 21, 2006 at 05:55:21PM -0700, Randy Bush wrote:
when low-hanging fruit is unavailable, or when they see a really cool way to exploit the higher fruit, it would be prudent to have done something about it. who cares about openly recursive dns servers? there are easier ways to crack the host. oops!
There is a fine line between being dilligent about security, and wasting your time trying to solve problems that don't exist, which I think has been crossed in the discussion. Not to venture too far away from facts and into the realm of cute soundbites and quotable one-liners about lions and fruit, but let me propose what I think is a good one: If the bad guys have copies of your MD5 passwords, then you have way bigger problems than the bad guys having copies of your MD5 passwords. I have yet to hear a reasonable counter-argument to this. If there is one out there that had not yet been made then by all means now is the time to make it. Otherwise, you would really be better served by devoting your time and energy into solving real problems. If you're running low on real problems to solve, I would be happy to send you some of mine. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
On Wed, 21 Jun 2006, Richard A Steenbergen wrote:
There is a fine line between being dilligent about security, and wasting your time trying to solve problems that don't exist, which I think has been crossed in the discussion.
While TCP-MD5 could be useful in some cases (mainly in Internet Exchanges), I mostly agree with RAS that the big picture isn't necessarily clear. Hence, this is my chance to plug my view of it: http://www.ietf.org/internet-drafts/draft-savola-rtgwg-backbone-attacks-01.t... It's a short document, less than 15 pages. Comments are welcome. The goal of the document is to be able to better convey the real story both between the operator-operator and operator-IETF interfaces :-) -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
participants (4)
-
Bora Akyol -
Pekka Savola -
Randy Bush -
Richard A Steenbergen