Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

BGP Denial Of Service Vulnerability??

I just received an email from one of our upstream ISP's about a new vulnerability that could cause a reset of BGP sessions possibly usable in a Denial of Service attack. They referenced the URL http://www.uniras.gov.uk/vuls/2004/236929/index.htm

Which seems to indicate a recomendation of using MD5 signature option on BGP peering points.

A couple questions regarding this:

How serious of an issue is this, and should MD5 encryption be setup on BGP peers?

and

What are the requirements (IOS version and FeatureSet) for this, and how is it setup?

4 REPLIES
Cisco Employee

Re: BGP Denial Of Service Vulnerability??

A Security Advisory has just been released on CO this afternoon. Please refer to the following link.

http://www.cisco.com/warp/public/707/advisory.html

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP Denial Of Service Vulnerability??

Hi,

It seems like everybody is focusing on BGP, is the advisory also valid for other protocols like LDP and DLSW etc.. Does the repaired code also include fixes for the above protocols ?

/ Daniel

Cisco Employee

Re: BGP Denial Of Service Vulnerability??

The reason everybody talks about BGP is that it is certainly the most widely deployed of them and at the same time the one that causes the most disruption. To answer your question, the fix changes the TCP behavior from RFC793 to the more specific one described in draft-ietf-tcpm-tcpsecure-00.txt tererefore it addresses the issue from a TCP standpoint.

Hope this helps,

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: BGP Denial Of Service Vulnerability??

Looking at the security advisory at http://www.cisco.com/en/US/customer/products/products_security_advisory09186a008021bc62.shtml

I see that for version 12.3 Mainline code it shows that the rebuild version for a fix is 12.3(6). Does 12.3(6a) also include the fixes, I was going to load 12.3(6) but it showed multiple bugs that I decided it would be best to go to the latest 12.3(6a). Will 12.3(6a) include the fixes or would I have to actually use 12.3(6)?

98
Views
0
Helpful
4
Replies
CreatePlease login to create content