Date: Tue, 19 Oct 2004 09:21:46 -0700 From: Randy Bush <randy@psg.com> Subject: Re: BCP38 making it work, solving problems
For example, how many ISPs use TCP MD5 to limit the possibility of a BGP/TCP connection getting hijacked or disrupted by a ddos attack?
i hope none use it for the latter, as it will not help. more and more use it for the former. why? becuase they perceived the need to solve an immediate problem, a weakness in a vendor's code.
Uhm, you might need to run that by me again... Hijacking the connection is in a completely different class as someone bombarding you with a bunch of forged BGP packets to close down a session. Without that MD5 checksum you are quite vulnerable to that. I haven't seen a vendor come up with a solution to that, because the problem is on a much more vendor-neutral level... Regards, JP Velders PS: ofcourse that MD5 option also causes problems for peerings to come back "up" again if you have to reboot/reload *without* properly closing them... :( Hey, pro's and con's are part of the job ;)