MD5 for TCP/BGP Sessions

Christopher L. Morrow christopher.morrow at mci.com
Thu Mar 31 05:57:07 UTC 2005




On Wed, 30 Mar 2005, vijay gill wrote:

> Christopher L. Morrow wrote:
> >
> > provided your gear supports it an acl (this is one reason layered acls
> > would be nice on routers) per peer with:
> > permit /30 eq 179 /30
> > permit /30 /30 eq 179
> > deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
> > Quinn at cisco says: "Infrastructure ip space")
> >
> > no more traffic to the peer except BGP from the peer /30. No more ping, no
> > more traceroute of interface... (downsides perhaps?) and the 'customer'
> > can still DoS himself :( (or his compromised machine can DoS him)
> >
>
> or forge the source ip on the neighbors /30 or /31 (why aren't you using
> /31s anyway) and call it done.

curse you and your new-fangled /31's! :) Yes, someone inside the customer
could dos the customer... if the customer cared, they could acl their side
as well though since they aren't doing egress filtering I'm betting they
aren't going to do this either ;(

-Chris



More information about the NANOG mailing list