Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Best Current Practices for Routing Protocol Security

  • From: Stephen J. Wilcox
  • Date: Wed Aug 14 15:21:09 2002


Must depend on the router architecture tho if this is feasible..

ie why just BGP, can do this for all routing protocols

and that means filtering all ingress packets through several "lines" of
filter.. if you could do this by filtering out to a loopback this wouldnt be bad
but current practises are to peer real interface ips (specifiaclly to ensure
quick withdrawal when a link flaps).

i guess i can just see some unwanted overheads arising. no ideas on actual
metrics tho, may be negligible in practice.

Steve

On Tue, 13 Aug 2002 dylan@juniper.net wrote:

> 
> On Wed, Aug 14, 2002 at 01:44:26PM -0500, John Kristoff wrote:
> 
> > > 6. Address validation on all edge devices
> > 
> > Filter to only allow neighbor IPs to the specific routing protocol.
> > For example on a BGP peer, filter TCP port 179 on each peer interface
> > to only allow the expected peer IP.
> 
> Agreed..
> 
> If one or both sides aren't doing any sort of uRPF or ingress filtering 
> on their edges, it may still be possible to throw packets at bgp from 
> behind the remote peering router. 
> 
> It's probably not a bad idea to have an additional filter to block
> traffic going to port 179 on the peer's dst from _any_ src on all of the
> other interfaces on the peering router. (Or some other mechanism which
> does the same thing, which I think Sean was pointing out.) It's sort of 
> mutually beneficial for both sides of a given peering to protect each 
> other, as it's not really possible for a filter on one side to fully 
> protect itself.
> 
> (Just my additional $0.02)
> 
> ..Dylan
> 
> 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.