|
North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: MD5 for TCP/BGP Sessions
- From: vijay gill
- Date: Wed Mar 30 18:53:36 2005
Stephen J. Wilcox wrote:
without wishing to repeat what can be googled for.. putting acls on your edge to
protect your ebgp sessions wont work for obvious reasons -- to spoof data and
disrupt a session you have to spoof the srcip which of course the acl will allow
in
This is why you either have a stateful firewall in your router that
pushes a dynamic acl down to the linecard (or equivalent forwarding
place where the for_us vs through_us decision is made), and filter it
there. That makes guessing the correct 5 tuple a bit harder. Obviously
GTSM is the closest we have yet to hardening (note I did not use
securing) the session.
On average, the stateful filter will cause the attacker to to try 32000
times to find correct 4-tuple. Conversely, attacker resources will need
to be on average 32000 times greater to adversely affect a router. The
cost of attacking infrastructure has risen, but the cost to defender is
minor.
Each configured BGP session already has all the state needed above to
populate the filter.
/vijay
|
|
|
