Re: TCP-RST Vulnerability - Doubt

[Valdis . Kletnieks]

On Mon, 28 Jun 2004 21:26:07 +0200, Florian Weimer said:

> > The Cisco routers we deployed 3.5 years ago were already configured with MD
5
> > enabled on BGP, this was on IOS 12.0 at this time. And I guess that Cisco
> > still has a good share amongst the BGP setups.
> 
> Software deployed /= configured & enabled.
> 
> One of the main problems with the TCP MD5 option is that it requires a
> password which has to be negotiated by the peers.  This adds a
> non-trivial management burdern.

The latest numbers I saw on the NANOG list estimated that only 30% to 40% of
core peerings were using MD5 even several weeks after the Great MD5-Fest...

> If the packet is still handled by a real CPU (which is very likely the
> case given the complexity of the protocols involved), it will still
> overload.

I am told that at least some versions of IOS got it Very Very Wrong - rather
than first checking the simple things like "is the source/dest addr/ports/seq
on the RST in bounds?" or "is a BGP packet?", it would check the MD5 *first* -
meaning you could swamp the real CPU by sending it a totally bogus stream of
allegedly MD5-signed traffic.. which of course would induce a route flap
when the CPU fell too far behind... ;)

Attachment: pgp00000.pgp
Description: PGP signature