source-changes: Re: CVS commit: src

Subject: Re: CVS commit: src
To: Perry E. Metzger <perry@piermont.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: source-changes
Date: 04/30/2004 16:35:44
--jho1yZJdad60DJr+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 26, 2004 at 08:35:51PM -0400, Perry E. Metzger wrote:
>=20
> christos@zoulas.com (Christos Zoulas) writes:
> > | > No, it is still useful because some routers will not accept non-md5=
 sessions.
> > | > So to interoperate properly the minimum we have to do is send m5 pa=
ckets and
> > | > accept m5 packets.
> > |=20
> > | 	i agree with perry.  if NetBSD side does not check signature
> > | 	(in fact, it does not check *the existence* of signature either)
> > | 	malicious party can throw bogus packets to NetBSD side, and tear down
> > | 	connection (or whatever).
> >
> > But without it you cannot talk to the routers that only do MD5 in
> > the first place.
>=20
> Yes, and that's because they're expecting secure links.
>=20
> This is like saying "the only way I can keep my lights on is to put a
> penny into the fuse box instead of a fuse." The fuse is there to
> protect you from a circuit overload, so using a penny is a bad
> idea. The TCP/MD5 requirement is there to protect your BGP sessions
> from being attacked, so using a fake implementation to get around the
> requirement is also a bad idea.

Note, it's not that bad. We do generate correct signatures. So what we're=
=20
doing is authenticating ourselves well to the other side, we just aren't=20
that particular about their responses.

> > No matter what, the code is a step in the right direction.
>=20
> Absolutely, and as soon as it actually checks that it is getting
> properly signed packets, there should be no reason not to turn it
> on. Meanwhile, I am not sure we should be telling people to use it.

Did you miss this part of the commit message?

Committed
as-is for further testing between a NetBSD BGP speaker (e.g., quagga)
and industry-standard BGP speakers (e.g., Cisco, Juniper).

Seems rather clear that it's still in the testing stages...

Take care,

Bill

--jho1yZJdad60DJr+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFAkuLQWz+3JHUci9cRAgOQAKCVqs37c1h6HDtPjBl7aCG6r1+h0ACePMlD
y00Edi1SlpttUjH5ODXARxQ=
=sTna
-----END PGP SIGNATURE-----

--jho1yZJdad60DJr+--