nanog mailing list archives
Re: protecting operational networks
From: Vadim Antonov <avg () pluris com>
Date: Mon, 15 Sep 1997 15:44:41 -0700
Ran Atkinson wrote:
IMHO, any serious network operator using OSPF or BGP should have already deployed the techniques below (as applicable): OSPF with Keyed MD5 Authentication BGP-4 with the Keyed MD5 Authentication extension as a TCP option.
Well, it does not protect against the threat #1 -- namely source of perfectly good-looking but bogus routes. In fact, cryptography is not the best (or most useful) solution for protecting routing infrastructure from barge-in attacks. The real solutuion is very simple -- the packets carrying routing data should _not_ be routable. ARP is a good example. Unfortunately the present braindeadedness of IGPs which makes kludges like iBGP hack necessary makes multihop routing of network control information inevitable. I would say we should concentrate on fixing the original problem, not trying to patch holes in the broken-as-designed architecture.
WRT ISIS, lack of a CLNP infrastructure limits the ability of outsiders to attack a network. Nonetheless, ISIS should probably also get some kind of cryptographic authentication extension.
Heh. CLNP is quite widely routed. At some point it was very useful as a way to defeat access-filter based protection in ciscos (that was fixed, though). --vadim
Current thread:
- Re: not rewriting next-hop, pointing default, ..., (continued)
- Re: not rewriting next-hop, pointing default, ... Karl Denninger (Sep 11)
- Re: not rewriting next-hop, pointing default, ... Ran Atkinson (Sep 11)
- Re: not rewriting next-hop, pointing default, ... Sean M. Doran (Sep 11)
- Message not available
- Re: LSR and packet filters Ran Atkinson (Sep 12)
- Re: LSR and packet filters Sean M. Doran (Sep 13)
- Re: LSR and packet filters Alex "Mr. Worf" Yuriev (Sep 13)
- Re: LSR and packet filters Sean M. Doran (Sep 14)
- Re: not rewriting next-hop, pointing default, ... Alex.Bligh (Sep 12)
- Re: not rewriting next-hop, pointing default, ... Sean M. Doran (Sep 13)
- Message not available
- Re: protecting operational networks Ran Atkinson (Sep 15)
- Re: protecting operational networks Vadim Antonov (Sep 15)
- Re: not rewriting next-hop, pointing default, ... Karl Denninger (Sep 11)
- Re: not rewriting next-hop, pointing default, ... Avi Freedman (Sep 11)
- set ip next-hop Bradley Dunn (Sep 11)
- Re: set ip next-hop Alex Rubenstein (Sep 11)
- Re: set ip next-hop Avi Freedman (Sep 11)
- Re: not rewriting next-hop, pointing default, ... Per Gregers Bilse (Sep 12)
- Re: not rewriting next-hop, pointing default, ...s Avi Freedman (Sep 12)
- Re: not rewriting next-hop, pointing default, ...s Nathan Stratton (Sep 12)
- Re: not rewriting next-hop, pointing default, ...s Avi Freedman (Sep 12)
- Re: not rewriting next-hop, pointing default, ...s Alex.Bligh (Sep 12)