May be, it is reasonable to have a simple MD-5 key - I mean, without a rotation, use e-mail to exchange it instead of the phone, do not generate but use simple password, and so on. If this key is never changed, then risk to lost a session is very low, and I do not see _any_ reason to keep it on rotation plan (hacker must know too much and can damage too little, in this case). Even such keys as '415' or 'monday' will prevent TCP attacks in alll cases - if single attack require 5 - 30 minutes for the one hit, then no any way exists to use dictionary 'guess' for password cracking. Now, we can see a _histeria_ around this problem; but yes, when it will coll down (1 - 2 weeks), it will be a time to make a reasonable improvements. ----- Original Message ----- From: "Patrick W.Gilmore" <patrick@ianai.net> To: <nanog@merit.edu> Cc: "Patrick W.Gilmore" <patrick@ianai.net> Sent: Tuesday, April 20, 2004 8:49 PM Subject: Re: Winstar says there is no TCP/BGP vulnerability
On Apr 20, 2004, at 11:29 PM, Michel Py wrote:
Please forgive me if I'm naive and/or ask a stupid question, but is there any reason (besides your platform not supporting it) _not_ to MD5 your BGP sessions? Geez, on my _home_ router all my v4 BGP sessions are MD5ed (v6 not there yet).
There is serious operational overhead in maintaining sync'ed passwords between separate organizations. IOW: Eventually someone will screw up and lose the password. When they do, the session goes down, and probably for far longer than if some miscreant tries to RST it via the "vulnerability".
Actual data: Over the past three plus years an organization with on the order of a dozen MD5-ized BGP sessions has has multiple down sessions due to, for instance, a peer doing standard (for them) password rotation and forgetting to inform the organization. Each time incurred a minimum of several hours downtime, once stretching into several days as the peer could not figure out what was wrong and get the right person with the password to give it to the organization.
Over the past three plus years with over 1000 non-MD5-ized BGP sessions, the same organization experienced exactly *ZERO* seconds of downtime identified as due to RST-style attacks. And certainly no prolonged outages due to it.
Add to that the additional CPU overhead some people have reported, making it easier to packet the router to its knees, and MD5 looks like a cure worse than the disease.
All that said, it is your router, your peers, your decision. I would never dream of telling anyone who wanted MD5 to not do it. I just don't understand people who want to do it. Especially when they could be doing things like filtering at the leaf nodes and forcing their vendors to support the TTL hack.
But that's me.
-- TTFN, patrick