Re: IP economics morphed into (TCP/RST)

["Stephen J. Wilcox" <steve () telecomplete co uk>]

On Tue, 20 Apr 2004, Blaine Christian wrote:

> > The other is our new hot topic of security, not sure if anyone has thought
> > of this yet (or how interesting it is) but the nature of the bgp attack
> > means that if you can view a BGP session you can figure things about a peer
> > that would otherwise be hidden from you in particular the port numbers in
> > use.. and I'm not entirely clear on the details but it sounds like when you
> > hit the first session, you can take the rest out very easily.
> >
> > We cant take BGP out of band (yet!), perhaps we can keep it better hidden
> > from view tho..
>
> There are more protection methods available than just MD5 (as you allude to
> Steve).  One mitigator is to use "non-routed" space for BGP peer
> connections.  If you have the ability to filter on TTL 255 you are in even
> better shape (arguably perfectly secure against all but
> configuration/hardware failures).  You have some vulnerability with
> non-routed space if you do default routing or have folks who default towards
> the device doing the BGP peering though.  Source routing is also a potential
> hazard for the non-routed solution (does anyone have this enabled anymore?).
>
> Apologies for the morph but this raised a great point.   

Hmm ok so assume for a moment that I dont want RFC1918 for my links, what are my 
options? :

There isnt a "link-local" for IP altho this would be a great solution (surely
this can be written for BGP??).

Or I could use all eBGP addresses from a block which I dont route and filter 
internally.. I suspect this is a non-starter, I will have to include all my 
addresses given to me by peers and its gonna screw traces, monitoring etc.

Can I use secondary IP addresses and then BGP with these addresses, this would 
be a form of "security by obscurity" but providing you can keep the info a 
secret thats surely going to do it?

Steve