nanog mailing list archives
Re: MD5 for TCP/BGP Sessions
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Thu, 31 Mar 2005 05:57:07 +0000 (GMT)
On Wed, 30 Mar 2005, vijay gill wrote:
Christopher L. Morrow wrote:provided your gear supports it an acl (this is one reason layered acls would be nice on routers) per peer with: permit /30 eq 179 /30 permit /30 /30 eq 179 deny all-network-gear-ip-space (some folks call it backbone ip space, Paul Quinn at cisco says: "Infrastructure ip space") no more traffic to the peer except BGP from the peer /30. No more ping, no more traceroute of interface... (downsides perhaps?) and the 'customer' can still DoS himself :( (or his compromised machine can DoS him)or forge the source ip on the neighbors /30 or /31 (why aren't you using /31s anyway) and call it done.
curse you and your new-fangled /31's! :) Yes, someone inside the customer could dos the customer... if the customer cared, they could acl their side as well though since they aren't doing egress filtering I'm betting they aren't going to do this either ;( -Chris
Current thread:
- MD5 for TCP/BGP Sessions Doug Legge (Mar 30)
- Re: MD5 for TCP/BGP Sessions John Kristoff (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Stephen J. Wilcox (Mar 30)
- Re: MD5 for TCP/BGP Sessions vijay gill (Mar 30)
- Re: MD5 for TCP/BGP Sessions Christopher L. Morrow (Mar 30)
- Re: MD5 for TCP/BGP Sessions vijay gill (Mar 30)
- Re: MD5 for TCP/BGP Sessions Christopher L. Morrow (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 30)
- Re: MD5 for TCP/BGP Sessions Stephen J. Wilcox (Mar 31)
- Re: MD5 for TCP/BGP Sessions Pekka Savola (Mar 31)
- Re: MD5 for TCP/BGP Sessions Eduardo Ascenco Reis (Mar 31)
- Re: MD5 for TCP/BGP Sessions John Kristoff (Mar 30)