[69812] in North American Network Operators' Group
IP economics morphed into (TCP/RST)
daemon@ATHENA.MIT.EDU (Blaine Christian)
Tue Apr 20 15:35:03 2004
From: "Blaine Christian" <blaine.christian@mci.com>
To: "'Stephen J. Wilcox'" <steve@telecomplete.co.uk>,
"'Patrick W.Gilmore'" <patrick@ianai.net>
Cc: <nanog@merit.edu>
Date: Tue, 20 Apr 2004 15:29:29 -0400
In-reply-to: <Pine.LNX.4.44.0404201856430.15106-100000@server2.tcw.telecomplete.net>
Errors-To: owner-nanog-outgoing@merit.edu
> The other is our new hot topic of security, not sure if=20
> anyone has thought of this yet (or how interesting it is) but=20
> the nature of the bgp attack means that if you can view a BGP=20
> session you can figure things about a peer that would=20
> otherwise be hidden from you in particular the port numbers=20
> in use.. and I'm not=20
> entirely clear on the details but it sounds like when you hit=20
> the first session,=20
> you can take the rest out very easily.
>=20
> We cant take BGP out of band (yet!), perhaps we can keep it=20
> better hidden from=20
> view tho..
There are more protection methods available than just MD5 (as you allude =
to
Steve). One mitigator is to use "non-routed" space for BGP peer
connections. If you have the ability to filter on TTL 255 you are in =
even
better shape (arguably perfectly secure against all but
configuration/hardware failures). You have some vulnerability with
non-routed space if you do default routing or have folks who default =
towards
the device doing the BGP peering though. Source routing is also a =
potential
hazard for the non-routed solution (does anyone have this enabled =
anymore?).
Apologies for the morph but this raised a great point. =20
Regards,
Blaine
