Hey,
I'm not Alan, just trying to save him some typing :) The
issue being referenced is that BGP4 as you know uses TCP
communication to check link status. If the TCP session is
severed in any way, BGP assumes the link down, and drops
the advertisements, or the table depending which side
(at least in Cisco's implementation).
This basically leaves you dead in the water for a few
seconds while the BGP session is re-established, and
the advertisements are send out, and table rebuilt. It
can also cause other routers on the net to see you as
"flapping", and dampen your routes.. Which again leaves
you dead in the water (at least from things behind them).
This is accomplished by guessing the correct TCP Sequence
number, and sending RST packets to drop the TCP connection.
BGP does not actually check the layer 2 status of the
connection to make sure the link is still UP before
it assumes you have dropped. I believe this is the
poor implementation he is referring to.
MD5 encryption was added to the sessions between
routers to make hijacking the stream more difficult
(if not next to impossible)
D.
> -----Original Message-----
> From: Dale Corse [mailto:[email protected]]
> Sent: Sunday, September 12, 2004 1:36 PM
> To: 'Dale'
> Subject: FW: Linux 2.4.27 SECURITY BUG - TCP Local and
> REMOTE(verified) Denial of Service Attack
>
>
>
>
> -----Original Message-----
> From: Toon van der Pas [mailto:[email protected]]
> Sent: Sunday, September 12, 2004 1:24 PM
> To: Alan Cox
> Cc: Wolfpaw - Dale Corse; [email protected]; Linux
> Kernel Mailing List
> Subject: Re: Linux 2.4.27 SECURITY BUG - TCP Local and
> REMOTE(verified) Denial of Service Attack
>
>
> On Sun, Sep 12, 2004 at 06:04:53PM +0100, Alan Cox wrote:
> >
> > This is not a TCP flaw, its a combination of poor design by certain
> > vendors, poor BGP implementation and a lack of
> understanding of what
> > TCP does and does not do. See IPSec. TCP gets stuff from A to B in
> > order and knowing to a resonable degree what arrived. TCP does not
> > proide a security service.
> >
> > (The core of this problem arises because certain people treat TCP
> > connection down on the peering session as link down)
>
> Alan, could you please elaborate on this last statement?
> I don't understand what you mean, and am very interested.
>
> Thanks,
> Toon.
> --
> "Debugging is twice as hard as writing the code in the first
> place. Therefore, if you write the code as cleverly as
> possible, you are, by definition, not smart enough to debug
> it." - Brian W. Kernighan
>
> --------------------------------------------------------------
> --------------
> -
> This message has been scanned for Spam and Viruses by ClamAV
> and SpamAssassin
> --------------------------------------------------------------
> --------------
> -
>
>
>
>
On Sun, Sep 12, 2004 at 01:42:26PM -0600, Wolfpaw - Dale Corse wrote:
> MD5 encryption was added to the sessions between
> routers to make hijacking the stream more difficult
> (if not next to impossible)
Correction : MD5 *signature* was added from the beginning since the problem
was identified from start, but seeing that certain people did not implement
it, others found interesting to turn this into a "generic TCP vulnerability"
to get some credits, or perhaps to make them react positively.
Regards,
Willy