nanog mailing list archives

IP economics morphed into (TCP/RST)

From: "Blaine Christian" <blaine.christian () mci com>
Date: Tue, 20 Apr 2004 15:29:29 -0400

The other is our new hot topic of security, not sure if 
anyone has thought of this yet (or how interesting it is) but 
the nature of the bgp attack means that if you can view a BGP 
session you can figure things about a peer that would 
otherwise be hidden from you in particular the port numbers 
in use.. and I'm not 
entirely clear on the details but it sounds like when you hit 
the first session, 
you can take the rest out very easily.

We cant take BGP out of band (yet!), perhaps we can keep it 
better hidden from 
view tho..


There are more protection methods available than just MD5 (as you allude to
Steve).  One mitigator is to use "non-routed" space for BGP peer
connections.  If you have the ability to filter on TTL 255 you are in even
better shape (arguably perfectly secure against all but
configuration/hardware failures).  You have some vulnerability with
non-routed space if you do default routing or have folks who default towards
the device doing the BGP peering though.  Source routing is also a potential
hazard for the non-routed solution (does anyone have this enabled anymore?).

Apologies for the morph but this raised a great point.   

Regards,

Blaine

Current thread:

Re: Backbone IP network Economics - peering and transit, (continued)
- - Re: Backbone IP network Economics - peering and transit Patrick W . Gilmore (Apr 19)
  - Re: Backbone IP network Economics - peering and transit Paul Vixie (Apr 19)
    - Re: Backbone IP network Economics - peering and transit vijay gill (Apr 20)
- RE: Backbone IP network Economics - peering and transit Michel Py (Apr 19)
  - Re: Backbone IP network Economics - peering and transit Daniel Golding (Apr 20)
    - Re: Backbone IP network Economics - peering and transit Patrick W . Gilmore (Apr 20)
    - TCP Vulnerability makes case for authenticated BGP tad pedley (Apr 20)
    - Re: TCP Vulnerability makes case for authenticated BGP Pekka Savola (Apr 20)
    - Re: Backbone IP network Economics - peering and transit Stephen J. Wilcox (Apr 20)
    - Re: Backbone IP network Economics - peering and transit Patrick W . Gilmore (Apr 20)
    - IP economics morphed into (TCP/RST) Blaine Christian (Apr 20)
    - Re: IP economics morphed into (TCP/RST) Stephen J. Wilcox (Apr 22)
    - Re: IP economics morphed into (TCP/RST) Niels Bakker (Apr 22)
    - Re: IP economics morphed into (TCP/RST) Stephen J. Wilcox (Apr 22)
    - RE: IP economics morphed into (TCP/RST) Blaine Christian (Apr 22)
    - RE: IP economics morphed into (TCP/RST) Stephen J. Wilcox (Apr 22)
    - Re: IP economics morphed into (TCP/RST) Iljitsch van Beijnum (Apr 22)
    - Re: IP economics morphed into (TCP/RST) E.B. Dreger (Apr 22)
    - Re: Backbone IP network Economics - peering and transit Alexei Roudnev (Apr 21)
- RE: Backbone IP network Economics - peering and transit Gary Hale (Apr 20)
  - Re: Backbone IP network Economics - peering and transit Daniel Golding (Apr 20)

(Thread continues...)