[79105] in North American Network Operators' Group
Re: MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (vijay gill)
Wed Mar 30 19:25:32 2005
Date: Wed, 30 Mar 2005 19:24:43 -0500
From: vijay gill <vgill@vijaygill.com>
To: "Christopher L. Morrow" <christopher.morrow@mci.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0503310003280.17593@sharpie.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
Christopher L. Morrow wrote:
>
> provided your gear supports it an acl (this is one reason layered acls
> would be nice on routers) per peer with:
> permit /30 eq 179 /30
> permit /30 /30 eq 179
> deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
> Quinn at cisco says: "Infrastructure ip space")
>
> no more traffic to the peer except BGP from the peer /30. No more ping, no
> more traceroute of interface... (downsides perhaps?) and the 'customer'
> can still DoS himself :( (or his compromised machine can DoS him)
>
or forge the source ip on the neighbors /30 or /31 (why aren't you using
/31s anyway) and call it done.
/vijay
