Winstar says there is no TCP/BGP vulnerability

• Previous message (by thread): Winstar says there is no TCP/BGP vulnerability
• Next message (by thread): Winstar says there is no TCP/BGP vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We do prefix-filter all our peers, both customer and transit.  We also
use as-path filters.  It does seem to help us avoid insertion of invalid
routes and other issues (especially since some people we peer with don't
do the same on their side).

As far as stability and process problems, we're too busy working on the
instability of the Ciscos we're on now to notice, particularly the
problem with BGP scanner taking up all the CPU every 60 seconds.  We're
preparing to move from an ATM core on Alcatel ATM switches with a Cisco
edge to an IP-MPLS core on Juniper M-20s with M-20s (and a few Ciscos in
smaller cities) on the edge.  Hopefully that will improve our stability.
We're pretty excited about the Junipers (the network geeks like me here
are drooling).

Diane Turley
Network Engineer
Xspedius Communications Co.
636-625-7178


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Patrick W.Gilmore
Sent: Wednesday, April 21, 2004 10:12 AM
To: nanog at merit.edu
Cc: Patrick W.Gilmore
Subject: Re: Winstar says there is no TCP/BGP vulnerability



On Apr 21, 2004, at 10:38 AM, Jared Mauch wrote:

> On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote:
>>
>>> Yes, it generates more work to update the database,
>>> but OTOH it provides the LIII engineer with a lot more to
>>> troubleshoot
>>> issues. Is it simply not worth the work at your scale?
>>
>> Exactly.
>>
>> And you do not have to be at 701's scale for this to not work.
>
> 	We've not had these issues and have been using
> bgp passwords/md5 for years.  We do have a fancy configuration 
> managment system in place, whereby people put things into the database

> first before they configure the router.

Sorry, in this particular post, we were (or at least I was) talking 
about having prefix filters for all your peers.  I know I've talked a 
lot about MD5 lately, just thought it would be a nice change of 
subject. :)

If you do prefix filter all your peers, that is impressive.  Do you get 
out of sync a lot?  Does it help keep the network more stable?  Or do 
process problems make it worse than just max-prefixes on a peer?

-- 
TTFN,
patrick

• Previous message (by thread): Winstar says there is no TCP/BGP vulnerability
• Next message (by thread): Winstar says there is no TCP/BGP vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]