[79127] in North American Network Operators' Group
Re: MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Mar 31 01:24:35 2005
Date: Thu, 31 Mar 2005 09:23:59 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: John Kristoff <jtk@northwestern.edu>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0503310016240.17446-100000@server2.tcw.telecomplete.net>
Errors-To: owner-nanog@merit.edu
On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
> without wishing to repeat what can be googled for.. putting acls on your edge to
> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
> disrupt a session you have to spoof the srcip which of course the acl will allow
> in
This is why this helps for eBGP sessions only the peer is also
protecting its borders. I.e., if you know the peer's network has
spoofing-prevention enabled, nobody is able to spoof the srcip the
peer uses.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
