North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Winstar says there is no TCP/BGP vulnerability

  • From: Jared Mauch
  • Date: Wed Apr 21 11:37:29 2004

On Wed, Apr 21, 2004 at 11:11:57AM -0400, Patrick W.Gilmore wrote:
> 
> On Apr 21, 2004, at 10:38 AM, Jared Mauch wrote:
> 
> >On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote:
> >>
> >>>Yes, it generates more work to update the database,
> >>>but OTOH it provides the LIII engineer with a lot more to 
> >>>troubleshoot
> >>>issues. Is it simply not worth the work at your scale?
> >>
> >>Exactly.
> >>
> >>And you do not have to be at 701's scale for this to not work.
> >
> >	We've not had these issues and have been using
> >bgp passwords/md5 for years.  We do have a fancy configuration
> >managment system in place, whereby people put things into the
> >database first before they configure the router.
> 
> Sorry, in this particular post, we were (or at least I was) talking 
> about having prefix filters for all your peers.  I know I've talked a 
> lot about MD5 lately, just thought it would be a nice change of 
> subject. :)

	(sorry, i was speaking to the md5 issue here as well.. but
i can comment on the peer prefix-filtering issue as well..)

> If you do prefix filter all your peers, that is impressive.  Do you get 
> out of sync a lot?  Does it help keep the network more stable?  Or do 
> process problems make it worse than just max-prefixes on a peer?

	We have some peers that fluxuate prefix ranges enough (even
in a 24 hr period) it is causing problems.

	we had 4MB+ router configs @ LINX when we were doing full peer
prefix filtering.  It's easier to do in Europe as RIPE provides
a well-structured (yet annoying at times) registration system
whereby people need to know how to do set up the route objects
to get PI space.  People also tend to be more clued there than
joe-average ISP elsewhere that runs BGP.  People here say "why
should i have to register my routes, just accept what i announce"
whereas people in europe have (more than) half the work already
done as part of their obligations/interaction with RIPE.

	- jared

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.