MD5 for TCP/BGP Sessions
Pekka Savola
pekkas at netcore.fi
Thu Mar 31 17:43:42 UTC 2005
On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>> On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>>> without wishing to repeat what can be googled for.. putting acls on your edge to
>>> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
>>> disrupt a session you have to spoof the srcip which of course the acl will allow
>>> in
>>
>> This is why this helps for eBGP sessions only the peer is also protecting its
>> borders. I.e., if you know the peer's network has spoofing-prevention enabled,
>> nobody is able to spoof the srcip the peer uses.
>
> trusting a third party to protect your network is imho not best practice, in
> addition many networks may have considerable customers inside them making
> attacking from inside trivial
That is why GTSM is useful for hardening, in addition to protecting
your borders.
When I say 'border protection', I also mean the border between an
operator and its customers. I.e., strict uRPF -like prevention, so
that nobody (neither a peer, upstream or customer) is able to spoof
the infrastructure IP addresses.
That's what we're doing, and I'd hope more people would as well.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list