[79163] in North American Network Operators' Group
Re: MD5 for TCP/BGP Sessions
daemon@ATHENA.MIT.EDU (Pekka Savola)
Thu Mar 31 12:44:12 2005
Date: Thu, 31 Mar 2005 20:43:42 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: John Kristoff <jtk@northwestern.edu>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0503311126020.17446-100000@server2.tcw.telecomplete.net>
Errors-To: owner-nanog@merit.edu
On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>> On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
>>> without wishing to repeat what can be googled for.. putting acls on your edge to
>>> protect your ebgp sessions wont work for obvious reasons -- to spoof data and
>>> disrupt a session you have to spoof the srcip which of course the acl will allow
>>> in
>>
>> This is why this helps for eBGP sessions only the peer is also protecting its
>> borders. I.e., if you know the peer's network has spoofing-prevention enabled,
>> nobody is able to spoof the srcip the peer uses.
>
> trusting a third party to protect your network is imho not best practice, in
> addition many networks may have considerable customers inside them making
> attacking from inside trivial
That is why GTSM is useful for hardening, in addition to protecting
your borders.
When I say 'border protection', I also mean the border between an
operator and its customers. I.e., strict uRPF -like prevention, so
that nobody (neither a peer, upstream or customer) is able to spoof
the infrastructure IP addresses.
That's what we're doing, and I'd hope more people would as well.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
