North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Winstar says there is no TCP/BGP vulnerability
You can add a RPF-flavored filter like: Make core-facing network interfaces drop or not route the /30 or /24 your peering interface is on. Many NAP fabrics IPs are blackholed at borders like they should be. Or you could move your peers to 10.x.x.x addresses and NOT route them inside your network, or have them destined to your blackhole community.. Better still. Just have all of your border routers announce the specpfic address blocks you have peers or directly connected interfaces on with your blackhole community. The routers with directly connected interfaces shouldn't mind the exported route and the routers that receive it shouldn't be routing it anyway. Deepak Jain AiNET James wrote: anti spoofing filtering won't help you with your ebgp peer if the packet is spoofed to your peer's address and hits the peering interface. try adding GTSM with anti-spoofing. makes it far harder.. -J On Thu, Apr 22, 2004 at 12:14:55AM -0700, Alexei Roudnev wrote:If they make proper anty-spoofiing filtering, no need in MD5.
|