[69973] in North American Network Operators' Group
Re: Alternate and/or hidden infrastructure addresses (BGP/TCP RST/SYN vulnerability)
daemon@ATHENA.MIT.EDU (Matthew Crocker)
Thu Apr 22 19:54:38 2004
In-Reply-To: <20040422232458.GA49118@scylla.towardex.com>
From: Matthew Crocker <matthew@crocker.com>
Date: Thu, 22 Apr 2004 19:53:57 -0400
To: 'nanog@merit.edu' <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> next thing to protect is customer ebgp sessions. some providers don't
> even
> route the p2p /30 links used between cust and their backbone (i.e.
> Sprint).
> so that's up to you.
>
> some backbones even filter all traffic destined to backbone prefixes at
> ingress points (border routers, cust edge routers)... for example.. att
> being one. for example, here comes random test:
Couldn't we use 2 /30 subnets on PtP links? 1 /30 with real IPs for
ICMP, MTU, reachability etc. and one RFC1918 /30 as secondary for eBGP
sessions. I know when a router originates a packet (like with BGP) it
sets the source IP to the IP of the interface the packet leaves. Is
BGP smart enough when setting up BGP neighbors to use an IP in the same
subnet as the neighbor (the secondary interface IP)?
