nanog mailing list archives
Re: Best Current Practices for Routing Protocol Security
From: dylan () juniper net
Date: Tue, 13 Aug 2002 16:11:26 -0400
On Wed, Aug 14, 2002 at 01:44:26PM -0500, John Kristoff wrote:
6. Address validation on all edge devicesFilter to only allow neighbor IPs to the specific routing protocol. For example on a BGP peer, filter TCP port 179 on each peer interface to only allow the expected peer IP.
Agreed.. If one or both sides aren't doing any sort of uRPF or ingress filtering on their edges, it may still be possible to throw packets at bgp from behind the remote peering router. It's probably not a bad idea to have an additional filter to block traffic going to port 179 on the peer's dst from _any_ src on all of the other interfaces on the peering router. (Or some other mechanism which does the same thing, which I think Sean was pointing out.) It's sort of mutually beneficial for both sides of a given peering to protect each other, as it's not really possible for a filter on one side to fully protect itself. (Just my additional $0.02) ..Dylan -- , Dylan Greene , + Juniper Networks + + +1 617/407-6254 + ` dylan () juniper net '
Current thread:
- Routing Protocol Security Jeff Doyle (Aug 13)
- Re: Routing Protocol Security senthil ayyasamy (Aug 13)
- Re: Routing Protocol Security dylan (Aug 13)
- Re: Routing Protocol Security batz (Aug 13)
- Re: Routing Protocol Security Hank Nussbacher (Aug 13)
- Re: Routing Protocol Security dylan (Aug 13)
- Re: Routing Protocol Security senthil ayyasamy (Aug 13)
- Best Current Practices for Routing Protocol Security Sean Donelan (Aug 14)
- Re: Best Current Practices for Routing Protocol Security John Kristoff (Aug 14)
- Re: Best Current Practices for Routing Protocol Security dylan (Aug 14)
- Re: Best Current Practices for Routing Protocol Security Stephen J. Wilcox (Aug 14)
- Re: Best Current Practices for Routing Protocol Security John Kristoff (Aug 14)
- <Possible follow-ups>
- Re: Routing Protocol Security Danny McPherson (Aug 13)