nanog mailing list archives

RE: Winstar says there is no TCP/BGP vulnerability

From: "Peering" <Peering () xspedius com>
Date: Wed, 21 Apr 2004 11:28:24 -0400


We do prefix-filter all our peers, both customer and transit.  We also
use as-path filters.  It does seem to help us avoid insertion of invalid
routes and other issues (especially since some people we peer with don't
do the same on their side).

As far as stability and process problems, we're too busy working on the
instability of the Ciscos we're on now to notice, particularly the
problem with BGP scanner taking up all the CPU every 60 seconds.  We're
preparing to move from an ATM core on Alcatel ATM switches with a Cisco
edge to an IP-MPLS core on Juniper M-20s with M-20s (and a few Ciscos in
smaller cities) on the edge.  Hopefully that will improve our stability.
We're pretty excited about the Junipers (the network geeks like me here
are drooling).

Diane Turley
Network Engineer
Xspedius Communications Co.
636-625-7178


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Patrick W.Gilmore
Sent: Wednesday, April 21, 2004 10:12 AM
To: nanog () merit edu
Cc: Patrick W.Gilmore
Subject: Re: Winstar says there is no TCP/BGP vulnerability



On Apr 21, 2004, at 10:38 AM, Jared Mauch wrote:

On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote:

Yes, it generates more work to update the database,
but OTOH it provides the LIII engineer with a lot more to
troubleshoot
issues. Is it simply not worth the work at your scale?


Exactly.

And you do not have to be at 701's scale for this to not work.


      We've not had these issues and have been using
bgp passwords/md5 for years.  We do have a fancy configuration 
managment system in place, whereby people put things into the database

first before they configure the router.


Sorry, in this particular post, we were (or at least I was) talking 
about having prefix filters for all your peers.  I know I've talked a 
lot about MD5 lately, just thought it would be a nice change of 
subject. :)

If you do prefix filter all your peers, that is impressive.  Do you get 
out of sync a lot?  Does it help keep the network more stable?  Or do 
process problems make it worse than just max-prefixes on a peer?

-- 
TTFN,
patrick

Current thread:

RE: Winstar says there is no TCP/BGP vulnerability, (continued)
- - RE: Winstar says there is no TCP/BGP vulnerability Christopher L. Morrow (Apr 20)
  - RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
  - RE: Winstar says there is no TCP/BGP vulnerability David Luyer (Apr 21)
  - Re: Winstar says there is no TCP/BGP vulnerability Iljitsch van Beijnum (Apr 21)
  - Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Jared Mauch (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Patrick W . Gilmore (Apr 21)
    - Re: Winstar says there is no TCP/BGP vulnerability Jared Mauch (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Peering (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Michel Py (Apr 21)
- RE: Winstar says there is no TCP/BGP vulnerability Peering (Apr 21)