MD5 for TCP/BGP Sessions

Pekka Savola pekkas at netcore.fi
Thu Mar 31 17:43:42 UTC 2005


On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>> On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>>> without wishing to repeat what can be googled for.. putting acls on your edge to
>>> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
>>> disrupt a session you have to spoof the srcip which of course the acl will allow
>>> in
>>
>> This is why this helps for eBGP sessions only the peer is also protecting its
>> borders. I.e., if you know the peer's network has spoofing-prevention enabled,
>> nobody is able to spoof the srcip the peer uses.
>
> trusting a third party to protect your network is imho not best practice, in
> addition many networks may have considerable customers inside them making
> attacking from inside trivial

That is why GTSM is useful for hardening, in addition to protecting 
your borders.

When I say 'border protection', I also mean the border between an 
operator and its customers.  I.e., strict uRPF -like prevention, so 
that nobody (neither a peer, upstream or customer) is able to spoof 
the infrastructure IP addresses.

That's what we're doing, and I'd hope more people would as well.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the NANOG mailing list