North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: MD5 for TCP/BGP Sessions
On Thu, 31 Mar 2005, Pekka Savola wrote: > On Thu, 31 Mar 2005, Stephen J. Wilcox wrote: > > without wishing to repeat what can be googled for.. putting acls on your edge to > > protect your ebgp sessions wont work for obvious reasons -- to spoof data and > > disrupt a session you have to spoof the srcip which of course the acl will allow > > in > > This is why this helps for eBGP sessions only the peer is also protecting its > borders. I.e., if you know the peer's network has spoofing-prevention enabled, > nobody is able to spoof the srcip the peer uses. trusting a third party to protect your network is imho not best practice, in addition many networks may have considerable customers inside them making attacking from inside trivial Steve
|