Winstar says there is no TCP/BGP vulnerability
Patrick W.Gilmore
patrick at ianai.net
Wed Apr 21 05:21:52 UTC 2004
On Apr 21, 2004, at 12:51 AM, Michel Py wrote:
> b) A specific-to-the-peer route-map to filter the routes I receive from
> the peer to the peer's blocks, as agreed in the beer drinking meeting
> ^H^H^H^H BLPA. This route map is not entirely specific, as I also put
> in
> stuff such as deny RFC1918 routes ;-)
No medium or large network filters their peers on prefix. And very few
small networks do either. Prefix count, maybe, but not individual
prefixes. There are far too many changes on far too many peers per day
to keep up. Not to mention far, far, far too many chances to screw up
and get the dreaded phone call in the middle of the night.
> Now, the dumb question:
> Given:
> 1) The context above especially item b
Since item b) is no longer given, your question is invalid.
> 2) Christopher Morrow's comments below
> Explain me what having or not having the MD5 password changes. Either
> you're small and/or stupid and do it manually, or you have an automated
> system that does it for you.
>
>
>> Christopher L. Morrow wrote:
>> there is the issue of changing the keys during operations
>> without impacting the network, eh? Having to bounce every
>> bgp session in your network can be pretty darned painful...
>> if you change the key(s) of course.
>
> See above: Changing the route-map is equally painful.
See above: Networks do not filter as per item b). Since that is
"equally painful", I guess they should not change the route-map or MD5
password either. Hrmmmm, someone is again proving my point for me....
>> If you don't you might as well not have keys, since adding
>> the 3 lines of C code required to Paul Watsons' program
>> making it do the hashing certainly won't be a big deal, eh?
>
> I'm weak with C. Besides adding "neighbor x.x.x.x password 7 " below
> "enable-password 7 " for each peer (which requires recompiling, how
> annoying) would you care sharing the 3 said lines for the code below
> :-)
I think you miss the point here.
Or maybe I did. It's late, instead of possibly misinterpreting another
person's post, I'll let Chris explain it himself.
--
TTFN,
patrick
More information about the NANOG
mailing list