IP economics morphed into (TCP/RST)
Blaine Christian
blaine.christian at mci.com
Tue Apr 20 19:29:29 UTC 2004
> The other is our new hot topic of security, not sure if
> anyone has thought of this yet (or how interesting it is) but
> the nature of the bgp attack means that if you can view a BGP
> session you can figure things about a peer that would
> otherwise be hidden from you in particular the port numbers
> in use.. and I'm not
> entirely clear on the details but it sounds like when you hit
> the first session,
> you can take the rest out very easily.
>
> We cant take BGP out of band (yet!), perhaps we can keep it
> better hidden from
> view tho..
There are more protection methods available than just MD5 (as you allude to
Steve). One mitigator is to use "non-routed" space for BGP peer
connections. If you have the ability to filter on TTL 255 you are in even
better shape (arguably perfectly secure against all but
configuration/hardware failures). You have some vulnerability with
non-routed space if you do default routing or have folks who default towards
the device doing the BGP peering though. Source routing is also a potential
hazard for the non-routed solution (does anyone have this enabled anymore?).
Apologies for the morph but this raised a great point.
Regards,
Blaine
More information about the NANOG
mailing list