nanog mailing list archives

RE: tcp bgp vulnerability looking glass and route server issues.

From: "David Luyer" <david () luyer net>
Date: Thu, 22 Apr 2004 10:10:17 +1000


Lane Patterson wrote:

While I agree that publicly open route-views routers should not allow
display of "sho ip bgp nei" information, this is only giving away 4-tuple
info regarding non-production BGP sessions, right?  So folks could
potentially flap the route-views sessions, but this will not affect any
production routing in the data path.

If any folks are allowing "sho ip bgp nei" via looking glass interface to
a production router, then yes, that is a problem.  I haven't seen any.


I've seen direct looking glasses into IX routers, into SP production routers
and to routers which peer with major routers - where you could consider
that resetting the session frequently could start having CPU impact on
the router connected to the route server.

They're all potential impacting problems.

Also if checking if you have a problem make sure you don't permit:

   sh ip bgp nei
   sh ip bgp nei x.x.x.x
   sh tcp

David.

Current thread:

tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 20)
- <Possible follow-ups>
- RE: tcp bgp vulnerability looking glass and route server issues. Lane Patterson (Apr 21)
  - RE: tcp bgp vulnerability looking glass and route server issues. David Luyer (Apr 21)
  - Re: tcp bgp vulnerability looking glass and route server issues. Troy Davis (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Burton, Chris (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 21)