Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: MD5 for TCP/BGP Sessions

  • From: vijay gill
  • Date: Wed Mar 30 19:26:26 2005

Christopher L. Morrow wrote:
provided your gear supports it an acl (this is one reason layered acls
would be nice on routers) per peer with:
permit /30 eq 179 /30
permit /30 /30 eq 179
deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
Quinn at cisco says: "Infrastructure ip space")

no more traffic to the peer except BGP from the peer /30. No more ping, no
more traceroute of interface... (downsides perhaps?) and the 'customer'
can still DoS himself :( (or his compromised machine can DoS him)

or forge the source ip on the neighbors /30 or /31 (why aren't you using /31s anyway) and call it done.

/vijay






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.