Re: What Worked - What Didn't
Alex Bligh <alex@alex.org.uk> writes:
--On Monday, 17 September, 2001 2:32 PM -0400 "Patrick W. Gilmore" <patrick@ianai.net> wrote:
Maybe I missed something?
Only all the well documented attacks (including DoS). Think about sending RST to BGP port (and other random ports) on your routers.
I thought TCP stacks were supposed to do sequence number checking on RST's to make sure they fell within the bounds of the unacknowledged portion of the current window? Or is Cisco's implementation broken? M.
boys and girls, some folk with clue are trying to advise you to do something trivial that might raise the safety level a little. also, they may not want to describe why to blatantly. you don't need to wear a belt. no skin off me if your ass ends up hangin' out there in the breeze. sheesh! randy
Randy Bush wrote:
boys and girls, some folk with clue are trying to advise you to do something trivial that might raise the safety level a little. also, they may not want to describe why to blatantly.
Since this has been brought up... We've recently brought up a connection at AADS in July. Of about 30 peers brought online so far, this is a summary of the responses we've received when we've asked to implement MD5 authentication. Two refused. One simply said they don't support. The other with reasoning that it was dumb and unnecessary with point-to-point links (ATM PVCs). We had one peer who agreed to use it, but said it was really unnecessary. Another agreed to use it, but doesn't like to because they've found that their peers sometimes forget or lose the passwords. Guess who lost the password once already? :-) More than a half dozen organizations were doing authentication for the first time with us. Two organization said they don't support TCP MD5 authentication, but they'll do BGP password. Now when I ask I put a 'aka BGP password' in parentheses after I use the words 'TCP MD5 authentication'. Only one organization told me they *prefer* (my emphasis) to do authentication. The remaining organizations only do authentication if asked.
From the peering policies or online documentation I saw only one organization even mentioned authentication.
The most common means of exchanging a password was over the phone. Second most common way was via PGP encrypted email. One organization sent a password in plain text email. John
Two refused. One simply said they don't support. The other with reasoning that it was dumb and unnecessary with point-to-point links (ATM PVCs).
a bit light on the clue, eh?
Two organization said they don't support TCP MD5 authentication, but they'll do BGP password. Now when I ask I put a 'aka BGP password' in parentheses after I use the words 'TCP MD5 authentication'.
hey, they may never have seen more than one vendor in their lives, but at least they're trying.
The most common means of exchanging a password was over the phone. Second most common way was via PGP encrypted email. One organization sent a password in plain text email.
i'll settle randy
participants (3)
-
John Kristoff
-
Martin Cooper
-
Randy Bush