IP economics morphed into (TCP/RST)
Stephen J. Wilcox
steve at telecomplete.co.uk
Thu Apr 22 14:11:06 UTC 2004
On Tue, 20 Apr 2004, Blaine Christian wrote:
> > The other is our new hot topic of security, not sure if anyone has thought
> > of this yet (or how interesting it is) but the nature of the bgp attack
> > means that if you can view a BGP session you can figure things about a peer
> > that would otherwise be hidden from you in particular the port numbers in
> > use.. and I'm not entirely clear on the details but it sounds like when you
> > hit the first session, you can take the rest out very easily.
> >
> > We cant take BGP out of band (yet!), perhaps we can keep it better hidden
> > from view tho..
>
> There are more protection methods available than just MD5 (as you allude to
> Steve). One mitigator is to use "non-routed" space for BGP peer
> connections. If you have the ability to filter on TTL 255 you are in even
> better shape (arguably perfectly secure against all but
> configuration/hardware failures). You have some vulnerability with
> non-routed space if you do default routing or have folks who default towards
> the device doing the BGP peering though. Source routing is also a potential
> hazard for the non-routed solution (does anyone have this enabled anymore?).
>
> Apologies for the morph but this raised a great point.
Hmm ok so assume for a moment that I dont want RFC1918 for my links, what are my
options? :
There isnt a "link-local" for IP altho this would be a great solution (surely
this can be written for BGP??).
Or I could use all eBGP addresses from a block which I dont route and filter
internally.. I suspect this is a non-starter, I will have to include all my
addresses given to me by peers and its gonna screw traces, monitoring etc.
Can I use secondary IP addresses and then BGP with these addresses, this would
be a form of "security by obscurity" but providing you can keep the info a
secret thats surely going to do it?
Steve
More information about the NANOG
mailing list