nanog mailing list archives
Re: Best Current Practices for Routing Protocol Security
From: John Kristoff <jtk () aharp is-net depaul edu>
Date: Wed, 14 Aug 2002 13:44:26 -0500
On Wed, Aug 14, 2002 at 01:23:01PM -0400, Sean Donelan wrote:
4. Don't exchange routing information with external parties
And don't trust them. Use limits on the amount of prefixes you're willing to accept. Verify routes received with some third party (e.g. routing database).
5. Explicit routing neighbor assocations - passive-interface default
Both inbound and outbound. On Cisco's, in addition to passive-interface you might do 'distribute-list 1 in <interface>' where 1 is an ACL that can be simply 'deny any'.
6. Address validation on all edge devices
Filter to only allow neighbor IPs to the specific routing protocol. For example on a BGP peer, filter TCP port 179 on each peer interface to only allow the expected peer IP. Also: Apply damping as appropriate, but protect subnets serving root DNS servers from accidental damping. Limit maximum prefix length you're willing to accept. Make extensive use of remote logging and monitoring. Keep an eye on routing table changes over time and the overall operation of the routers. Filter out known bogus routes such as reserved, private, and special use address space as appropriate. John
Current thread:
- Routing Protocol Security Jeff Doyle (Aug 13)
- Re: Routing Protocol Security senthil ayyasamy (Aug 13)
- Re: Routing Protocol Security dylan (Aug 13)
- Re: Routing Protocol Security batz (Aug 13)
- Re: Routing Protocol Security Hank Nussbacher (Aug 13)
- Re: Routing Protocol Security dylan (Aug 13)
- Re: Routing Protocol Security senthil ayyasamy (Aug 13)
- Best Current Practices for Routing Protocol Security Sean Donelan (Aug 14)
- Re: Best Current Practices for Routing Protocol Security John Kristoff (Aug 14)
- Re: Best Current Practices for Routing Protocol Security dylan (Aug 14)
- Re: Best Current Practices for Routing Protocol Security Stephen J. Wilcox (Aug 14)
- Re: Best Current Practices for Routing Protocol Security John Kristoff (Aug 14)
- <Possible follow-ups>
- Re: Routing Protocol Security Danny McPherson (Aug 13)