On 14 Sep 2012, at 20:59, John Brown <[email protected]> wrote: > I remember reading / hearing that using a BGP password could cause a DDOS > vulnerability with Cisco and other vendor devices.
The problem related to how ios handled md5 checksums. Turned out that the md5 check was calculated before the tcp seq numbers were checked rather than afterwards, which would make much more sense from a helicopter point of view. Obviously calculating an md5 hash is much more computationally expensive than a simple integer comparison, and people at the time were concerned that this would open up a dos vector for hammering the rp. In retrospect it turned out that it made very little difference in practice. The general advice is still to use copp or acls to deprioritise unknown bgp traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise md5 is a matter of choice. Some people like it; others don't. Nick _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
