[c-nsp] BGP MD5 DDOS ?

Robert E. Seastrom rs at seastrom.com
Sun Sep 16 08:05:35 EDT 2012


"Dobbins, Roland" <rdobbins at arbor.net> writes:

> On Sep 15, 2012, at 7:58 PM, Nick Hilliard wrote:
>
>> The general advice is still to use copp or acls to deprioritise unknown bgp traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise md5 is a matter of choice. Some people like it; others don't. 
>
> Concur.
>
> There are no recorded instances of MD5 keying contributing to a DoS
> in the wild, AFAIK.  And of course if you use iACLs, CoPP, GTSM, you
> therefore keep unwanted traffic off your session in the first place.

I agree - if unwanted traffic hits the control plane without being
clamped down, you've lost the game in so many other ways...

> MD5 keying is useful as a safeguard to make folks really think
> before they bring up new peers.  Sort of a last-ditch, "Are you
> *really* use you want to do this, have you done everything else
> necessary to secure and protect this new routing relationship?"

Emphatically disagree.  Optimize for technician brain cells (where
Moore's Law does not apply).  An extra knob, an extra data point to be
collected, managed, (and possibly get wrong) as a proxy for "are you
sure? [y/N]" is a huge step away from goodness.

"The most reliable components are the ones you leave out." - C. Gordon Bell

-r



More information about the cisco-nsp mailing list