MD5 for TCP/BGP Sessions

Pekka Savola pekkas at netcore.fi
Thu Mar 31 06:23:59 UTC 2005


On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
> without wishing to repeat what can be googled for.. putting acls on your edge to
> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
> disrupt a session you have to spoof the srcip which of course the acl will allow
> in

This is why this helps for eBGP sessions only the peer is also 
protecting its borders. I.e., if you know the peer's network has 
spoofing-prevention enabled, nobody is able to spoof the srcip the 
peer uses.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the NANOG mailing list