nanog mailing list archives

Re: Winstar says there is no TCP/BGP vulnerability

From: Jared Mauch <jared () puck nether net>
Date: Wed, 21 Apr 2004 10:38:33 -0400


On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote:


On Apr 21, 2004, at 3:56 AM, Michel Py wrote:

Christopher L. Morrow wrote:
For pure: "Don't blow me up with prefixes" just limit the
maximum-prefix to some # over your expected peer's list.


Please allow me to try to make my point again: you store the expected
peer maximum-prefix somewhere in your management system. I do 
understand
the added complexity, but in the big scheme of things would it be 
_that_
more difficult to store a comma-delimited string or something that
contains the prefixes that could be announced by that peer instead of
the maximum-prefix?


Yes.

Yes, it generates more work to update the database,
but OTOH it provides the LIII engineer with a lot more to troubleshoot
issues. Is it simply not worth the work at your scale?


Exactly.

And you do not have to be at 701's scale for this to not work.


        We've not had these issues and have been using
bgp passwords/md5 for years.  We do have a fancy configuration
managment system in place, whereby people put things into the
database first before they configure the router.

Process is a bitch.  Especially when it involves other people over whom 
you no control.


        When people generate configs based on database actions, and 
if they're worng they break things and it is quickly
noticed next time someone loads/commits a config.

        We even have scripts to check to make sure that on other
devices where we can't just do 'load override' that the configs
are in sync and warn of pitfalls.

        it takes time and effort to build a well maintained system like
this.  sounds like that effort has not been expended on your side.

        then again, i'm guesing you're dealing with less clued people
and have to help them a lot with their bgp configs...

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

Current thread:

RE: Winstar says there is no TCP/BGP vulnerability, (continued)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 20)
  - RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
  - Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 20)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 20)
  - RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
  - RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
  - RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
  - Re: Winstar says there is no TCP/BGP vulnerability Iljitsch van Beijnum (Apr 21)
  - Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Jared Mauch (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Jared Mauch (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Peering (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Peering (Apr 21)