North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical IP economics morphed into (TCP/RST)
> The other is our new hot topic of security, not sure if > anyone has thought of this yet (or how interesting it is) but > the nature of the bgp attack means that if you can view a BGP > session you can figure things about a peer that would > otherwise be hidden from you in particular the port numbers > in use.. and I'm not > entirely clear on the details but it sounds like when you hit > the first session, > you can take the rest out very easily. > > We cant take BGP out of band (yet!), perhaps we can keep it > better hidden from > view tho.. There are more protection methods available than just MD5 (as you allude to Steve). One mitigator is to use "non-routed" space for BGP peer connections. If you have the ability to filter on TTL 255 you are in even better shape (arguably perfectly secure against all but configuration/hardware failures). You have some vulnerability with non-routed space if you do default routing or have folks who default towards the device doing the BGP peering though. Source routing is also a potential hazard for the non-routed solution (does anyone have this enabled anymore?). Apologies for the morph but this raised a great point. Regards, Blaine
|