[nsp] MD5 causes biggern problem than it fixes?
Edward Henigin
ed at texas.net
Thu Apr 22 23:48:35 EDT 2004
On Wed, Apr 21, 2004 at 03:24:41PM -0500, Edward Henigin said:
[...]
> 2) Presuming:
> - TCP MD5 checksums do more harm than good,
> - RPF won't work here due to asymetric routing,
> - application of filters on my network either being dangerous
> due to Ciscos being unable to do line rate ACLs, or not helpful
> because they can't drop the relevant packets,
> - I'd really like something better than "have your upstreams
> filter,"
>
> is there a solution to protect against this issue?
Security through obscurity seems like it might do the trick.
Lane Patterson's post to NANOG presents an idea. Put secondary
addresses on interfaces across which you are doing BGP. Peer using
the secondary addresses.
A traceroute through the interface won't show the peering addresses.
Thus making it significantly harder to guess the magic packet
required to reset that bgp session. Presumably, the attacker would
simply attack the addresses visible from the traceroute, and only
after exhaustively searching his presumed problem space would he
realize that his problem space is in reality much larger.
Hrmm... how many outages will that cause due to increased configuration
complexity? How many backbone carriers will agree to do this?
Further research is left as an excercise for the reader...
Ed
More information about the cisco-nsp
mailing list