MD5 for TCP/BGP Sessions

Pekka Savola pekkas at
Thu Mar 31 17:43:42 UTC 2005

On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>> On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>>> without wishing to repeat what can be googled for.. putting acls on your edge to
>>> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
>>> disrupt a session you have to spoof the srcip which of course the acl will allow
>>> in
>> This is why this helps for eBGP sessions only the peer is also protecting its
>> borders. I.e., if you know the peer's network has spoofing-prevention enabled,
>> nobody is able to spoof the srcip the peer uses.
> trusting a third party to protect your network is imho not best practice, in
> addition many networks may have considerable customers inside them making
> attacking from inside trivial

That is why GTSM is useful for hardening, in addition to protecting 
your borders.

When I say 'border protection', I also mean the border between an 
operator and its customers.  I.e., strict uRPF -like prevention, so 
that nobody (neither a peer, upstream or customer) is able to spoof 
the infrastructure IP addresses.

That's what we're doing, and I'd hope more people would as well.

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the NANOG mailing list