[nsp] MD5 causes biggern problem than it fixes?
Edward Henigin
ed at texas.net
Wed Apr 21 11:47:07 EDT 2004
Folks,
NANOG is rife with the back-and-forth arguments about MD5 hashing
your BGP sessions causing a bigger problem than it solves, namely
a vector for CPU starvation. The argument is that if you have MD5
turned on, then it's trivial to flood your router with packets that
will then be MD5-checked, and the MD5-checking is expensive, and
so causing a CPU DOS.
My question: has anyone tested this? Are there variations in IOS
revs where it works or doesn't work?
Before setting it up in a lab and testing, I wanted to see if the
leg work has already been done. The BGP reset security announcement
suggested the TCP MD5 configuration as a protection method, without
reservation. Reasonable operational folks are expressing serious
reservations. Which way is a mortal soul to go?
Thanks,
Ed
More information about the cisco-nsp
mailing list