[quagga-dev 1070] Re: [quagga-users 1754] Re: TCP MD5 for BGP and Linux
syscow at EnterZone.Net
Wed Apr 21 18:21:19 BST 2004
On Wed, 21 Apr 2004, Ted Mittelstaedt wrote:
> Uh, I don't claim to be the worlds expert on BGP but hasn't this
> old argument already been addressed a bazillion times before?
> As I understand it, the answer has been for smaller ISP's to use
> packet filters that drop packets with destination IP's of router
> interfaces, (except from the other BGP peers, and management
> stations and such, obviously) and for the larger networks where
> packet filters are impractical, they can use either private IP
> numbers on their BGP peering circuits, or microallocations that
> they don't globally announce.
> Am I wrong or is this just another case of incompetents who
> don't understand how to build internetworks, and think that this
> MD5 stuff is the only answer?
Filtering on *your* side of the connection will protect your *peers* from
the attack if it transited via you but, it won't protect you from packets
that transit your peer to you.
This is why it is such a problem. It's hard to enforce a security policy
on infrastructure that you don't directly control.
More information about the Quagga-dev