[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RRG] Replacement for BGP-TCP-MD5

To: Markus Stenberg <mstenber@cisco.com>
Subject: [RRG] Replacement for BGP-TCP-MD5
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sat, 19 Jan 2008 13:51:05 +0100
Cc: Sandy Murphy <sandy@tislabs.com>, jnc@mercury.lcs.mit.edu, rrg@psg.com
In-reply-to: <CF6F419D-C4C1-47E0-9794-2488D287C17C@cisco.com>
References: <20080117203205.947153F439@pecan.tislabs.com> <CF6F419D-C4C1-47E0-9794-2488D287C17C@cisco.com>

On 18 jan 2008, at 4:07, Markus Stenberg wrote:

TCP MD5 protects the links between routers.  It does nothing at all,
de nada, zero, zip, about protecting what the routers
say.

Actually, it does protect what they say, it just doesn't make whatthey say right.

(What's more, it is cryptographically unsophisticated and outmoded.)

Yes.. This is what I was trying to point out, with a broken example.

Anyway, even with the admittedly broken key handling (static manualkeying),

We had an IETF meeting where we roamed from session to session talkingabout this. This is actually a fairly difficult problem to reallysolve: if you want to be able to change keys, you need agreementbetween both sides, and reaching this agreement out of band is theproblem. (If you have that then TCP MD5 is not a problem today exceptperhaps for the timing of the change.) Reaching this agreement in bandis fairly non-trivial because then you need something that's long termstable that you can derive the more ephemeral keys from. Which has tobe something that you can verify without connectivity to avoidcircular dependencies.

broken protocol (replay attacks and such)

Good luck replaying TCP...

and partially broken digest algorithm, it seems to be still workingwell enough. I haven't heard about any attacks against the BGP+TCP-MD5 really happening out there in the wild.

The biggest problem is that it has no DoS protection, so basically youprotect against the risk of spoofed TCP RSTs at the cost of assumingthe risk of your route processor CPU be drowned in MD5 calculations.In theory, MD5 is light weight and many packets can be rejectedwithout doing the MD5 calculation, but in practice route processorsslow down significantly in the presence of MD5 digests.

However, I find it rather disturbing that the TCP folks are nowapparently looking at this. IPsec was made for this type of stuff: itis extensible, has strong algorithms, an anti-replay counter thathelps against CPU exhaustion attacks for off-path attackers (ifthere's an attacker on the link between two routers you have biggerproblems), supports negotiating new session keys and it's widelyimplemented. Solving the same problem a third time is at best a wasteof time.

However, the problem with IPsec is that vendors have made theirimplementations extremely complex to configure, so even though thecrypto people say set up and forget for TCP MD5 is really, really bad,the operators don't care because they don't see actual attacks, sothey're not willing to spend the time and effort to deploy BGP overIPsec.

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

Follow-Ups:
- Re: [RRG] Replacement for BGP-TCP-MD5
  - From: Tony Li <tli@cisco.com>

References:
- Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
  - From: sandy@tislabs.com (Sandy Murphy)
- Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
  - From: Markus Stenberg <mstenber@cisco.com>

Prev by Date: Re: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
Next by Date: Re: [RRG] Replacement for BGP-TCP-MD5
Previous by thread: RE: [RRG] Tunnel fragmentation/reassembly for RRG map-and-encaps architectures
Next by thread: Re: [RRG] Replacement for BGP-TCP-MD5
Index(es):
- Date
- Thread