On Thu, Jun 23, 2005 at 05:57:05AM -0400, Todd Underwood wrote:
>
> my understanding is that md5 is still checked before the ttl-hack
> check takes place on cisco (and perhaps most router platforms). new
> attack vector for less security than you had before. oh well. ras:
> can you confirm tha
Eric Gauthier <[EMAIL PROTECTED]> writes:
> Honestly, I completely agree with you that MD5'ing our OSPF
> adjacencies isn't a great idea (I've so far stalled its roll-out).
> I strongly argued against it internally. There were, however, those
> in both the networking and security groups that we
On Thu, Jun 23, 2005 at 05:57:05AM -0400, Todd Underwood wrote:
>
> ras, all,
>
> On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote:
> > On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote:
>
> > > a) many (all?) implementations of md5 protection of tcp expose
>
On Thu, Jun 23, 2005 at 10:27:49AM -0400, Todd Underwood wrote:
>
> marty,
>
> On Thu, Jun 23, 2005 at 10:22:07AM -0400, Hannigan, Martin wrote:
> > > rolling out magic code because your
> > > vendor tells you to is a bad idea;
> >
> > That's mostly the result of the calamitous failure in vul
On 2005-06-23, at 09:57, Eric Gauthier wrote:
likely need to make modifications to our IGP/EGP setup. Though
we filter
OSPF multicast traffic, we wanted to add in MD5 passwords to our
neighbors.
just a quick comment here. i would encourage you not to do that.
Honestly, I completely agr
marty,
On Thu, Jun 23, 2005 at 10:22:07AM -0400, Hannigan, Martin wrote:
> > rolling out magic code because your
> > vendor tells you to is a bad idea;
>
> That's mostly the result of the calamitous failure in vulnerability
> release methodology, not Operator stupidity.
totally agreed. ven
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Todd Underwood
> Sent: Thursday, June 23, 2005 5:57 AM
> To: Richard A Steenbergen
> Cc: nanog@merit.edu
> Subject: Re: md5 for bgp tcp sessions
>
>
>
> ras, all,
&
> my understanding is that md5 is still checked before the
> ttl-hack check takes place on cisco (and perhaps most router
> platforms). new attack vector for less security than you had
> before. oh well. ras:
> can you confirm that it is possible to implement ttl-hack and
> have it check
Todd,
> eric, all, not to pick on eric at all, but since he raised the issue...
I always assume and, frankly hope, that when I post something someone will
pipe up and point out anything thats inaccurate, needs clarification,
is a bad idea, etc.
> > likely need to make modifications to our IGP/E
ras, all,
On Thu, Jun 23, 2005 at 12:14:12AM -0400, Richard A Steenbergen wrote:
> On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote:
> > a) many (all?) implementations of md5 protection of tcp expose
> > new, easy-to-exploit vulnerabilities in host OSes. md5 verification
> > i
On Jun 23, 2005, at 12:14 AM, Richard A Steenbergen wrote:
Just please realize that this is a trivial layer of security, an extra
little bit of insurance to make it harder to alter the packets in
flight
or screw with the delivery protocol, and as such the key is not a
state
secret. I am goi
On Wed, Jun 22, 2005 at 10:04:09PM -0400, Todd Underwood wrote:
>
> the md5 password hack to protect tcp sessions is rapidly falling out
> of favor for a number of reasons. among them:
>
> 1) it protects against a very limited "vulnerability". for operating
> systems that stay up for reasonabl
eric, all,
not to pick on eric at all, but since he raised the issue...
On Wed, Jun 22, 2005 at 11:42:46AM -0400, Eric Gauthier wrote:
> likely need to make modifications to our IGP/EGP setup. Though we filter
> OSPF multicast traffic, we wanted to add in MD5 passwords to our
> neighbors.
ju
13 matches
Mail list logo
