RFC 2385 (rfc2385) - Page 1 of 6
Protection of BGP Sessions via the TCP MD5 Signature Option
Alternative Format: Original Text Document
Network Working Group A. Heffernan
Request for Comments: 2385 cisco Systems
Category: Standards Track August 1998
Protection of BGP Sessions via the TCP MD5 Signature Option
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
IESG Note
This document describes currrent existing practice for securing BGP
against certain simple attacks. It is understood to have security
weaknesses against concerted attacks.
Abstract
This memo describes a TCP extension to enhance security for BGP. It
defines a new TCP option for carrying an MD5 [RFC 1321] digest in a
TCP segment. This digest acts like a signature for that segment,
incorporating information known only to the connection end points.
Since BGP uses TCP as its transport, using this option in the way
described in this paper significantly reduces the danger from certain
security attacks on BGP.
1.0 Introduction
The primary motivation for this option is to allow BGP to protect
itself against the introduction of spoofed TCP segments into the
connection stream. Of particular concern are TCP resets.
To spoof a connection using the scheme described in this paper, an
attacker would not only have to guess TCP sequence numbers, but would
also have had to obtain the password included in the MD5 digest.
This password never appears in the connection stream, and the actual
form of the password is up to the application. It could even change
Heffernan Standards Track