gy of all."
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Bush
> Sent: Tuesday, August 14, 2018 3:39 PM
> To: North American Network Operators' Group
> Subject: tcp md5 bgp attacks?
>
> so we started to wonder if, since w
* ra...@psg.com (Randy Bush) [Wed 15 Aug 2018, 04:27 CEST]:
my memory is that seq num guessing and sending rst was the core
problem motivating tcp/md5 for bgp, and btsh came some years later.
but no big deal.
And a few looking glasses exposed detailed TCP window information when
run against
sec and GTSM...
Brgds,
LG
From: NANOG on behalf of Randy Bush
Sent: Tuesday, August 14, 2018 5:38 PM
To: North American Network Operators' Group
Subject: tcp md5 bgp attacks?
so we started to wonder if, since we started protecting our bgp
sessions with md5 (
> With regards to BGP, the MD5 thing was promulgated to counter what was
> a largely theoretical threat.
the rst attacks were a very serious problem. attacks were very real and
very disruptive. gtsm et alia were a few years later.
> We still see DDoS attacks against routers, of course.
i am
Well, think about RST attacks, in which someone bombards a TCP connection with
TCP RESET in the hopes of threading a needle and taking it down. It's not the
end of the world - BGP restarts - but there is an outage. The simplest way to
protect against that (and against having someone with a
h American Network Operators' Group
Subject: tcp md5 bgp attacks?
so we started to wonder if, since we started protecting our bgp
sessions with md5 (in the 1990s), are there still folk trying to
attack?
we were unable to find bgp mib counters. there are igp interface
counters, but that was not our
On 8/14/18 7:27 PM, Randy Bush wrote:
>
> < rathole >
> i am not much worried about a mesh which floods unicast. can you even
> buy devices which support that any more? a while back, i had to really
> dig in the closet to find one at 100mbps so i could shark mid-stream.
I'm not actually
On 15 Aug 2018, at 9:27, Randy Bush wrote:
my theory is that, as the attacks were mitigated the attackers moved
on to other things.
With regards to BGP, the MD5 thing was promulgated to counter what was a
largely theoretical threat. iACLs, and later GTSM and CoPP and LPTS and
so forth
my memory is that seq num guessing and sending rst was the core problem
motivating tcp/md5 for bgp, and btsh came some years later. but no big
deal.
i think that, indeed, md5 keys are shared across many links *within* an
op's infrastructure. but, since integrity, and not privacy, is the
goal,
On 8/14/18 2:38 PM, Randy Bush wrote:
> so we started to wonder if, since we started protecting our bgp
> sessions with md5 (in the 1990s), are there still folk trying to
> attack?
To recap for the purpose of my own edification and because hopefully
someone will relieve me of my assumptions.
>> something such as, or close to, rfc 4808?
>
> It provides some capability, but for example if I have a large iBGP
> mesh and need to change methods of securing it and have automation
> involved, it can often be a one-shot change unless I can zone some
> routers to different versions of
> On Aug 14, 2018, at 8:12 PM, Randy Bush wrote:
>
> [ again, thanks for an answer to the question asked ]
>
>>> anyone using the timed key-chain stuff?
>>
>> I’ve looked at it, hear it works, but not been willing to take the hit
>> for any transition.
>
> and i am not sure it meets my
[ again, thanks for an answer to the question asked ]
>> anyone using the timed key-chain stuff?
>
> I’ve looked at it, hear it works, but not been willing to take the hit
> for any transition.
and i am not sure it meets my needs. i am not seeking privacy or pfs.
i want roll-if-compromise.
> On Aug 14, 2018, at 8:04 PM, Randy Bush wrote:
>
> follow-on question:
>
> anyone using the timed key-chain stuff?
I’ve looked at it, hear it works, but not been willing to take the hit for any
transition.
I talked about some of this and other challenges at SAAG WG at IETF 101.
> My data is coarse, but with 'show system statistics tcp | match auth'
> I see sometimes thousands of rcv packets dropped on BGP routers. I
> doubt they are attacks, but simply badly configured or stale peer
> sessions over the course of time the counters initialized from.
thanks john for the
On Tue, 14 Aug 2018 21:38:35 +
Randy Bush wrote:
> we would be interested in data from others.
My data is coarse, but with 'show system statistics tcp | match auth' I
see sometimes thousands of rcv packets dropped on BGP routers. I doubt
they are attacks, but simply badly configured or
On 15 Aug 2018, at 6:28, Grant Taylor via NANOG wrote:
> Is there something that I've missed the boat on?
No - it's a belt-and-suspenders sort of thing, along with GTSM.
---
Roland Dobbins
On Tue, Aug 14, 2018 at 05:28:13PM -0600, Grant Taylor via NANOG wrote:
> On 08/14/2018 03:38 PM, Randy Bush wrote:
> > so we started to wonder if, since we started protecting our bgp
> > sessions with md5 (in the 1990s), are there still folk trying to
> > attack?
>
> n00b response here
>
> I
On 08/14/2018 03:38 PM, Randy Bush wrote:
so we started to wonder if, since we started protecting our bgp
sessions with md5 (in the 1990s), are there still folk trying to
attack?
n00b response here
I thought using ACLs or otherwise protecting the BGP endpoint was best
practice. Thus it's
so we started to wonder if, since we started protecting our bgp
sessions with md5 (in the 1990s), are there still folk trying to
attack?
we were unable to find bgp mib counters. there are igp interface
counters, but that was not our immediate interest. we did find
that md5 failures are logged.
20 matches
Mail list logo
