eric, all, not to pick on eric at all, but since he raised the issue... On Wed, Jun 22, 2005 at 11:42:46AM -0400, Eric Gauthier wrote:
likely need to make modifications to our IGP/EGP setup. Though we filter OSPF multicast traffic, we wanted to add in MD5 passwords to our neighbors.
just a quick comment here. i would encourage you not to do that. the md5 password hack to protect tcp sessions is rapidly falling out of favor for a number of reasons. among them: 1) it protects against a very limited "vulnerability". for operating systems that stay up for reasonable periods of time, that generate sufficiently random ISNs and that check for in-windowness of syns and rsts, there is a very limited exposure. 2) the cure is worse than the disease: a) many (all?) implementations of md5 protection of tcp expose new, easy-to-exploit vulnerabilities in host OSes. md5 verification is slow and done on a main processor of most routers. md5 verification typically takes places *before* the sequence number, ports, and ip are checked to see whether they apply to a valid session. as a result, you've exposed a trivial processor DOS to your box. b) coordination problems cause downtime. password coordination problems are reported to be a major cause of downtime among peers that i interact with. this downtime is costly and is much greater than the downtime caused by the (theoretical and not actively exploited) tcp "vulnerability" i would encourage everyone to seriously rethink the routine use of MD5 passwords to protect BGP tcp sessions. t. -- _____________________________________________________________________ todd underwood director of operations & security renesys - interdomain intelligence todd@renesys.com www.renesys.com