|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IP economics morphed into (TCP/RST)
On Tue, 20 Apr 2004, Blaine Christian wrote: > > The other is our new hot topic of security, not sure if anyone has thought > > of this yet (or how interesting it is) but the nature of the bgp attack > > means that if you can view a BGP session you can figure things about a peer > > that would otherwise be hidden from you in particular the port numbers in > > use.. and I'm not entirely clear on the details but it sounds like when you > > hit the first session, you can take the rest out very easily. > > > > We cant take BGP out of band (yet!), perhaps we can keep it better hidden > > from view tho.. > > There are more protection methods available than just MD5 (as you allude to > Steve). One mitigator is to use "non-routed" space for BGP peer > connections. If you have the ability to filter on TTL 255 you are in even > better shape (arguably perfectly secure against all but > configuration/hardware failures). You have some vulnerability with > non-routed space if you do default routing or have folks who default towards > the device doing the BGP peering though. Source routing is also a potential > hazard for the non-routed solution (does anyone have this enabled anymore?). > > Apologies for the morph but this raised a great point. Hmm ok so assume for a moment that I dont want RFC1918 for my links, what are my options? : There isnt a "link-local" for IP altho this would be a great solution (surely this can be written for BGP??). Or I could use all eBGP addresses from a block which I dont route and filter internally.. I suspect this is a non-starter, I will have to include all my addresses given to me by peers and its gonna screw traces, monitoring etc. Can I use secondary IP addresses and then BGP with these addresses, this would be a form of "security by obscurity" but providing you can keep the info a secret thats surely going to do it? Steve
|