Re: MD5 for TCP/BGP Sessions

[Pekka Savola <pekkas () netcore fi>]

On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
> > On Thu, 31 Mar 2005, Stephen J. Wilcox wrote:
> > > without wishing to repeat what can be googled for.. putting acls on your edge to
> > > protect your ebgp sessions wont work for obvious reasons -- to spoof data and
> > > disrupt a session you have to spoof the srcip which of course the acl will allow
> > > in
> >
> > This is why this helps for eBGP sessions only the peer is also protecting its
> > borders. I.e., if you know the peer's network has spoofing-prevention enabled,
> > nobody is able to spoof the srcip the peer uses.
>
> trusting a third party to protect your network is imho not best practice, in
> addition many networks may have considerable customers inside them making
> attacking from inside trivial

That is why GTSM is useful for hardening, in addition to protecting 
your borders.

When I say 'border protection', I also mean the border between an 
operator and its customers.  I.e., strict uRPF -like prevention, so 
that nobody (neither a peer, upstream or customer) is able to spoof 
the infrastructure IP addresses.

That's what we're doing, and I'd hope more people would as well.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings