[nsp] MD5 causes biggern problem than it fixes?

Edward Henigin ed at texas.net
Wed Apr 21 16:24:41 EDT 2004


On Wed, Apr 21, 2004 at 01:08:03PM -0700, Dan Hollis said:
> On Wed, 21 Apr 2004, Edward Henigin wrote:
> > If you're suggesting that RPF is a solution in this case, please
> > elaborate.  I suspect that most border routers are like mine and
> > require "reachable-via any".
> 
> Just because its not applicable to you doesnt mean its useless for 
> everyone?

Very true.  However, the context of this conversation isn't "what
should everyone do," but "what should I do."

> Deploy RPF where you can. There's nowhere in your *entire* network where 
> RPF applies?

You should drink milk, too.  It does a body good.  Unfortunately,
milk won't help my border routers.  Yes we run RPF where appropriate.
But this conversation is now about my border routers, where RPF
won't help.

Since this conversation is in a public forum, and we seem to have
wandered, I'd like to refocus.  If you're at a dead-end, I have
appreciated your input, and perhaps someone else has some ideas.

1) Does enabling TCP-MD5 checksums for my border BGP sessions put
us at greater risk than not doing so?  Are there any published
tests pointing one way or the other?  Why do seemingly intelligent
people disagree on this point?

2) Presuming:
   - TCP MD5 checksums do more harm than good,
   - RPF won't work here due to asymetric routing,
   - application of filters on my network either being dangerous
     due to Ciscos being unable to do line rate ACLs, or not helpful
     because they can't drop the relevant packets,
   - I'd really like something better than "have your upstreams
     filter,"

is there a solution to protect against this issue?

Thanks,

Ed


More information about the cisco-nsp mailing list