04-20-2004 12:15 PM - edited 03-02-2019 03:07 PM
I just received an email from one of our upstream ISP's about a new vulnerability that could cause a reset of BGP sessions possibly usable in a Denial of Service attack. They referenced the URL http://www.uniras.gov.uk/vuls/2004/236929/index.htm
Which seems to indicate a recomendation of using MD5 signature option on BGP peering points.
A couple questions regarding this:
How serious of an issue is this, and should MD5 encryption be setup on BGP peers?
and
What are the requirements (IOS version and FeatureSet) for this, and how is it setup?
04-20-2004 02:35 PM
A Security Advisory has just been released on CO this afternoon. Please refer to the following link.
http://www.cisco.com/warp/public/707/advisory.html
Hope this helps,
04-22-2004 01:22 AM
Hi,
It seems like everybody is focusing on BGP, is the advisory also valid for other protocols like LDP and DLSW etc.. Does the repaired code also include fixes for the above protocols ?
/ Daniel
04-22-2004 03:30 AM
The reason everybody talks about BGP is that it is certainly the most widely deployed of them and at the same time the one that causes the most disruption. To answer your question, the fix changes the TCP behavior from RFC793 to the more specific one described in draft-ietf-tcpm-tcpsecure-00.txt tererefore it addresses the issue from a TCP standpoint.
Hope this helps,
04-22-2004 07:21 AM
Looking at the security advisory at http://www.cisco.com/en/US/customer/products/products_security_advisory09186a008021bc62.shtml
I see that for version 12.3 Mainline code it shows that the rebuild version for a fix is 12.3(6). Does 12.3(6a) also include the fixes, I was going to load 12.3(6) but it showed multiple bugs that I decided it would be best to go to the latest 12.3(6a). Will 12.3(6a) include the fixes or would I have to actually use 12.3(6)?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: