Hi folks, I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be more concerned the session being hijacked when talking to another network? Thanks, Hansen
"HANSEN CHAN" wrote:
I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be more concerned the session being hijacked when talking to another network?
i believe this is because bgp will not establish a session unless the other end is directly connected. hence the reason for ebgp-multihop. so unless somebody drops a physical line into your router and configures it, you shouldn't have a problem. at least that's the way i understand it. please correct me if i'm wrong. damon
Date: Wed, 12 Jul 2000 08:26:56 -0400 From: "HANSEN CHAN" <hansen.chan@alcatel.com> Sender: owner-nanog@merit.edu
Hi folks,
I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be more concerned the session being hijacked when talking to another network?
I'll take a crack at this, I guess. OSPF and most (all?) other IP based routing protocols broadcast and flood data. This make it pretty easy for someone to simply send out a spoofed packet and have it believed by on or more routers. BGP is a TCP based protocol and is normally run only to an adjacent peer. This combination makes it very hard to break into. You have to have another system on the shared media send a spoofed packet with bogus information that fits the TCP stream and the BGP status for that peering (and many BGP connections are point-to-point, making even this impossible). Multi-hop BGP is a different beast and much more likely to be subject to attack, but it's also pretty rare and such an attack would still be very difficult. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
On Wed, Jul 12, 2000 at 08:26:56AM -0400, HANSEN CHAN wrote:
I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct? Can someone explain to me why? Shouldn't one be more concerned the session being hijacked when talking to another network?
Yes. many providers are now deploying password based bgp sessions with upstreams/peers/customers as an added security measure. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE |
Randy,
I understand that MD5 is quite commonly used in IGP such as OSPF but not in BGP4. Am I correct?
no. sensible bgp peers use md5 sig in bgp4. see rfc 2385
You are both right. MD5 is not commonly used in BGP4. Draw your own conclusions w.r.t. sensibleness of the peers. -- Alex Bligh VP Core Network, Concentric Network Corporation (formerly GX Networks, Xara Networks)
participants (6)
-
Alex Bligh -
Damon M. Conway -
HANSEN CHAN -
Jared Mauch -
Kevin Oberman -
Randy Bush