[69951] in North American Network Operators' Group
Re: IP economics morphed into (TCP/RST)
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Thu Apr 22 10:11:50 2004
Date: Thu, 22 Apr 2004 15:11:06 +0100 (BST)
From: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
To: Blaine Christian <blaine.christian@mci.com>
Cc: nanog@merit.edu
In-Reply-To: <004701c4270d$ccb9e710$948d2799@mcilink.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 20 Apr 2004, Blaine Christian wrote:
> > The other is our new hot topic of security, not sure if anyone has thought
> > of this yet (or how interesting it is) but the nature of the bgp attack
> > means that if you can view a BGP session you can figure things about a peer
> > that would otherwise be hidden from you in particular the port numbers in
> > use.. and I'm not entirely clear on the details but it sounds like when you
> > hit the first session, you can take the rest out very easily.
> >
> > We cant take BGP out of band (yet!), perhaps we can keep it better hidden
> > from view tho..
>
> There are more protection methods available than just MD5 (as you allude to
> Steve). One mitigator is to use "non-routed" space for BGP peer
> connections. If you have the ability to filter on TTL 255 you are in even
> better shape (arguably perfectly secure against all but
> configuration/hardware failures). You have some vulnerability with
> non-routed space if you do default routing or have folks who default towards
> the device doing the BGP peering though. Source routing is also a potential
> hazard for the non-routed solution (does anyone have this enabled anymore?).
>
> Apologies for the morph but this raised a great point.
Hmm ok so assume for a moment that I dont want RFC1918 for my links, what are my
options? :
There isnt a "link-local" for IP altho this would be a great solution (surely
this can be written for BGP??).
Or I could use all eBGP addresses from a block which I dont route and filter
internally.. I suspect this is a non-starter, I will have to include all my
addresses given to me by peers and its gonna screw traces, monitoring etc.
Can I use secondary IP addresses and then BGP with these addresses, this would
be a form of "security by obscurity" but providing you can keep the info a
secret thats surely going to do it?
Steve
