IP economics morphed into (TCP/RST)

• Previous message (by thread): Backbone IP network Economics - peering and transit
• Next message (by thread): IP economics morphed into (TCP/RST)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The other is our new hot topic of security, not sure if 
> anyone has thought of this yet (or how interesting it is) but 
> the nature of the bgp attack means that if you can view a BGP 
> session you can figure things about a peer that would 
> otherwise be hidden from you in particular the port numbers 
> in use.. and I'm not 
> entirely clear on the details but it sounds like when you hit 
> the first session, 
> you can take the rest out very easily.
> 
> We cant take BGP out of band (yet!), perhaps we can keep it 
> better hidden from 
> view tho..

There are more protection methods available than just MD5 (as you allude to
Steve).  One mitigator is to use "non-routed" space for BGP peer
connections.  If you have the ability to filter on TTL 255 you are in even
better shape (arguably perfectly secure against all but
configuration/hardware failures).  You have some vulnerability with
non-routed space if you do default routing or have folks who default towards
the device doing the BGP peering though.  Source routing is also a potential
hazard for the non-routed solution (does anyone have this enabled anymore?).

Apologies for the morph but this raised a great point.   

Regards,

Blaine

• Previous message (by thread): Backbone IP network Economics - peering and transit
• Next message (by thread): IP economics morphed into (TCP/RST)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]