Joe Rhett wrote:
I've left your entire message below so that one can see I've removed
nothing. Winstar has made NONE of the statements you are interpreting from
their response. They have simply stated that they don't support it at this
moment in time. I'll grant you that they could have answered "when" or
"why" or "what else". But they certainly didn't say anything you are
suggesting that they have said.
The only network engineer who may NOT have been aware of the building
BGP vulnerability issue over the last week has to be the engineer who is
currently on his annual vacation in Mauritius, and who refuses to take
his Blackberry, Palm, or Satellite phone with him.
And given the frantic activity by every single major backbone to protect
their connections by DEMANDING MD5 authentication, I think it is
disingenuous to suggest that a network like Winstar is merely saying
"They don't support it at this time" because they haven't gotten round
to it. They have to also be saying:
1) We don't believe there is any threat.
2) We don't want to set up MD5 because it is against our religion
3) We don't know *how* to set it up.
4) Our machines can't support setting up MD5.
5) Our network cannot support the outage as we bounce the session.
6) Our customers cannot accept the outage as we bounce the session
7) We're just thinking about it, and our planning process is taking a
8) We don't care about customer needs, even customers who spend $200k a
year with us.
9) We don't care about customers
and I am sure there are a slew of other possibilities.
But for a network provider to respond to a request from a large customer
who asks that their peering session be authenticated by just responding
"We don't use MD5 for peering currently" shows un unusually ballsy
attitude. There is more to it. Absent a specific, I chose to assume the
first option. I'm happy to hear Winstar's alternative.
I'm also interested in hearing if Winstar provided the same response to
the other big backbones? MCI, Sprint, AT&T, Level3, Verio, etc. It seems
to me that causing resets regularly forces the router to churn, dealing
with inserting routes into FIB, deleting routes from FIB, recalculate
FIB. Wash, rinse, repeat. Miscreants have no interest in a single reset.
And it won't take 200 seconds after the first reset. You probably won't
get out of the first window.
I stand by my first comment - Winstar doesn't believe that this is
enough of a threat to even craft a professional response.
<joke>Should we ever meet, I'll remember to never turn down a beer.
You might think I'm pro-prohibition or something...</joke>
No. If you were standing in the way of a scheduled trainwreck, and I
tossed you a schedule, a map, fed you live video of the approaching
train, and tossed you a lifeline, and you said you didn't believe there
was any danger I'd have to wonder.