North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: MD5 for TCP/BGP Sessions

  • From: Christopher L. Morrow
  • Date: Thu Mar 31 00:58:06 2005


On Wed, 30 Mar 2005, vijay gill wrote:

> Christopher L. Morrow wrote:
> >
> > provided your gear supports it an acl (this is one reason layered acls
> > would be nice on routers) per peer with:
> > permit /30 eq 179 /30
> > permit /30 /30 eq 179
> > deny all-network-gear-ip-space (some folks call it backbone ip space, Paul
> > Quinn at cisco says: "Infrastructure ip space")
> >
> > no more traffic to the peer except BGP from the peer /30. No more ping, no
> > more traceroute of interface... (downsides perhaps?) and the 'customer'
> > can still DoS himself :( (or his compromised machine can DoS him)
> >
>
> or forge the source ip on the neighbors /30 or /31 (why aren't you using
> /31s anyway) and call it done.

curse you and your new-fangled /31's! :) Yes, someone inside the customer
could dos the customer... if the customer cared, they could acl their side
as well though since they aren't doing egress filtering I'm betting they
aren't going to do this either ;(

-Chris