[nsp] MD5 causes biggern problem than it fixes?
Rubens Kuhl Jr.
rubens at email.com
Wed Apr 21 16:42:44 EDT 2004
> 1) Does enabling TCP-MD5 checksums for my border BGP sessions put
> us at greater risk than not doing so? Are there any published
> tests pointing one way or the other? Why do seemingly intelligent
> people disagree on this point?
Lack of real testing. Opinions on this are likely to converge once good data
on it appears.
> 2) Presuming:
> - TCP MD5 checksums do more harm than good,
Not known for now.
> - RPF won't work here due to asymetric routing,
Not sure... asymetric routing usually applies to the other peer backbone,
but not to other peer BGP address. A more specific route may be used to RPF
check the packets.
> - application of filters on my network either being dangerous
> due to Ciscos being unable to do line rate ACLs, or not helpful
That's too general. Each Cisco platform is different on wether ACLs have
performance impact; 7600s, for instance, usually won't slow a bit.
> because they can't drop the relevant packets,
Is MAC-based filtering being considered at IXPs ? BGP packets from one peer
shouldn't come from other MACs.
> - I'd really like something better than "have your upstreams
> filter,"
>
> is there a solution to protect against this issue?
BGP-over-IPSEC ?
Rubens
More information about the cisco-nsp
mailing list