Best Current Practices for Routing Protocol Security

John Kristoff jtk at aharp.is-net.depaul.edu
Wed Aug 14 18:44:26 UTC 2002


On Wed, Aug 14, 2002 at 01:23:01PM -0400, Sean Donelan wrote:
> 4. Don't exchange routing information with external parties

And don't trust them.  Use limits on the amount of prefixes you're
willing to accept.  Verify routes received with some third party
(e.g. routing database).

> 5. Explicit routing neighbor assocations - passive-interface default

Both inbound and outbound.  On Cisco's, in addition to passive-interface
you might do 'distribute-list 1 in <interface>' where 1 is an ACL that
can be simply 'deny any'.

> 6. Address validation on all edge devices

Filter to only allow neighbor IPs to the specific routing protocol.
For example on a BGP peer, filter TCP port 179 on each peer interface
to only allow the expected peer IP.

Also:

Apply damping as appropriate, but protect subnets serving root DNS
servers from accidental damping.

Limit maximum prefix length you're willing to accept.

Make extensive use of remote logging and monitoring.  Keep an eye on
routing table changes over time and the overall operation of the
routers.

Filter out known bogus routes such as reserved, private, and special
use address space as appropriate.

John





More information about the NANOG mailing list