All devices that are peered with the core KAREN routers are required to implement the MD5 signature option to protect BGP sessions. The protection of border gateway protocol (BGP) sessions using a TCP message-digest algorithm 5 (MD5) signature option is defined in RFC 2385.

The problem

BGP uses TCP port 179 to transfer routing information between configured peers.  It is possible to introduce spoofed TCP packets into this communication stream to enter spurious information from what would appear to be a valid BGP peer. This particular exploit is made easier through the use of TCP resets, which reduces the number of sequence numbers that must be guessed in order for the spoof to be successful.

The TCP reset vulnerability is exacerbated when RFC 1323 extensions are used. RFC 1323 extensions are defined to allow TCP based systems to make use of high performance networks such as KAREN. If the window size were configured for maximum performance only 4 sequence number guesses (as opposed to 262,143) would be required to gain enough information to spoof the TCP session.  More information can be found in a whitepaper by Paul Watson called Slipping in the Window (doc, 3MB).

The solution

MD5 is a cryptographic hash function that is described in RFC 1321.  RFC 2385 describes a process that includes an MD5 digest in each BGP TCP packet that is exchanged between peer systems.  Each peer must be pre-configured with a secret string that is not exchanged as part of the BGP messages or the MD5 digest included in the TCP segment.  This means that the string must be guessed in order to introduce spoofed packets into the communication stream, it cannot be captured.