Best Current Practices for Routing Protocol Security

• Previous message (by thread): Best Current Practices for Routing Protocol Security
• Next message (by thread): Best Current Practices for Routing Protocol Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 14, 2002 at 01:44:26PM -0500, John Kristoff wrote:

> > 6. Address validation on all edge devices
> 
> Filter to only allow neighbor IPs to the specific routing protocol.
> For example on a BGP peer, filter TCP port 179 on each peer interface
> to only allow the expected peer IP.

Agreed..

If one or both sides aren't doing any sort of uRPF or ingress filtering 
on their edges, it may still be possible to throw packets at bgp from 
behind the remote peering router. 

It's probably not a bad idea to have an additional filter to block
traffic going to port 179 on the peer's dst from _any_ src on all of the
other interfaces on the peering router. (Or some other mechanism which
does the same thing, which I think Sean was pointing out.) It's sort of 
mutually beneficial for both sides of a given peering to protect each 
other, as it's not really possible for a filter on one side to fully 
protect itself.

(Just my additional $0.02)

..Dylan

-- 
  ,  Dylan Greene      ,
 +   Juniper Networks   +
 +   +1 617/407-6254    +
  `  dylan at juniper.net '

• Previous message (by thread): Best Current Practices for Routing Protocol Security
• Next message (by thread): Best Current Practices for Routing Protocol Security
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]