John Morgan Salomon wrote: > > Hey, > > Absolutely ditto on this one. I'll mention this, since it's come up in public > discussion, but apparently a UK government agency (equivalent of the > NIPC in the US, I forget their exact name) has been contacting lots > of large companies regarding preventative countermeasures, and telling > them to (a) not pass it on (yeah right) and (b) NOT contact any > manufacturers about details until the 21st. No advice given beyond > "Enable MD5. Shh. Don't tell anyone. Top secret. You never saw us."
Sorry, but this must be total bullshit and FUD. There is no way any kind of NIPC would tell large companies to do this but *NOT* to inform the vendors of their equipment. > So yeah, I've gotten exactly the same sort of response. Great > coordinated security activity there. In my opinion this MD5 hype is just that. MD5 doesn't really make the router any more secure. To the contrary, it just cost the thing a lot of CPU to validate the BGP packets. Nice new DoS vector here. There are many more serious attacks possible on the control plane of the big Cisco and Juniper boxes. The easiest one takes just about 3Mbit/s of traffic to kill a 12000. Before you waste your time on MD5-ing all your peering sessions do a search for infrastructure ACL's on www.cisco.com. If you have done all that it makes sense to look at MD5 again. -- Andre ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
