I'm wondering just how many ISPs are using HMAC-MD5 to authenticate IS-IS route advertisements within their ASs, or MD5 on BGP peering sessions? I don't need a real number, just a sense of the community. Is usage increasing? is it dead? is it regional? etc. Any anecdotal info you have is appreciated. I don't need names of ISPs, just whether or not these technologies are being used. thanks, Barbara Barbara Fraser Consulting Engineer Cisco Systems, Inc. Phone: +1 (408) 525-1735
On Mon, 3 Jun 2002, Barbara Fraser wrote:
I'm wondering just how many ISPs are using HMAC-MD5 to authenticate IS-IS route advertisements within their ASs, or MD5 on BGP peering sessions? I don't need a real number, just a sense of the community. Is usage increasing? is it dead? is it regional? etc. Any anecdotal info you have is appreciated. I don't need names of ISPs, just whether or not these technologies are being used.
Some ISPs are practically religious about using them, usually the result of a single person at the ISP pushing it. But for the most part it hasn't really taken hold in the professional security consulting field. They are still stuck on stuff like turning off classless (CIDR) IP routing and source routing because the NSA said so. My experience (before this spring) was a handful of ISPs (single digits) regularly used MD5 on their routers for BGP routing. On a case by case basis you can get most ISPs to setup MD5 on your particular BGP session, once you found the right engineer. But it was rarely included as part of the default configuration, and therefor rarely done.
On Tue, 4 Jun 2002, Sean Donelan wrote: :Some ISPs are practically religious about using them, usually the result :of a single person at the ISP pushing it. But for the most part it hasn't :really taken hold in the professional security consulting field. I would suggest that it is also ISP's who do not hire security consultants. Consulting fees tend to come from departmental budgets, and almost every network engineer I have ever met fancies themselves a security expert. There isn't alot of incentive for them to get a third party opinion, because of a lack of faith in the clue of most consultants, and a general aversion to having anyone touch the delicate house of cards many network engineers have constructed. Maybe Cisco could add this as a default requirement of the configuration that had to be explicitly disabled? In fact, it would be nice if all protocol configurations had to have their authentication manually disabled. -- batz
On Tue, Jun 04, 2002 at 10:20:10AM -0400, batz wrote:
Maybe Cisco could add this as a default requirement of the configuration that had to be explicitly disabled? In fact, it would be nice if all protocol configurations had to have their authentication manually disabled.
With respect to BGP MD5 at least, a shared key is required, so you can't make it "default". As for why its not more commonly used... Despite all the whining about the potential for an attack, I'm not aware of anyone having actually done so. Routers are notoriously under-CPU'd, and I think most engineers would rather have routes converge 30% faster than protect against an attack noone has ever done. That and its just one more thing to negotiate with the other side. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
When I've tried asking about this I generally am told... (a) it was perceived to cause performance issues, (b) the routing software is so brittle that adding this feature is considered too high a risk, (c) they person at the other end didn't know how to enable it so you couldn't do it [in other words, there are urban legends about clueless network engineers too.] (d) no hacker could figure out how to get into the infrastructure far enough to attack that so it's not worth attacking (I consider this excuse invalid but that's just my opinion. I can find Zebra and get into a colo, I assume the bad guys could if they felt like it.) This also comes up at NDSS periodically, I believe. You might check the archives for that conference to see if there are papers on the topic. I'm sure this august body can come up with some more data to identify consensus reasons. At 10:20 AM 6/4/02 -0400, batz wrote:
On Tue, 4 Jun 2002, Sean Donelan wrote:
:Some ISPs are practically religious about using them, usually the result :of a single person at the ISP pushing it. But for the most part it hasn't :really taken hold in the professional security consulting field.
I would suggest that it is also ISP's who do not hire security consultants. Consulting fees tend to come from departmental budgets, and almost every network engineer I have ever met fancies themselves a security expert. There isn't alot of incentive for them to get a third party opinion, because of a lack of faith in the clue of most consultants, and a general aversion to having anyone touch the delicate house of cards many network engineers have constructed.
Maybe Cisco could add this as a default requirement of the configuration that had to be explicitly disabled? In fact, it would be nice if all protocol configurations had to have their authentication manually disabled.
-- batz
participants (5)
-
Barbara Fraser -
batz -
Richard A Steenbergen -
Rodney Thayer -
Sean Donelan