North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What Worked - What Didn't

  • From: Valdis.Kletnieks
  • Date: Mon Sep 17 14:49:15 2001

On Mon, 17 Sep 2001 14:32:35 EDT, "Patrick W. Gilmore" <[email protected]>  said:
> If someone can splice into my point-to-point OC system, fake being the 
> router on the other end, and keep my peer from calling me and asking what 

You *do* do ingress and egress filtering of your own addresses, and have checked
that your router does in fact use cryptographically challenging seuquence
numbers, right?

And even if you don't, using MD5 is not *that* expensive (or shouldn't be),
and provides security in depth.

Unfortunately, I'll bet there's a LOT of routers that don't have filtering
in place, don't have good sequence numbers, and don't use MD5.  Enough said...
				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Attachment: pgp00013.pgp
Description: PGP signature