[quagga-dev 1070] Re: [quagga-users 1754] Re: TCP MD5 for BGP and Linux

John Fraizer syscow at EnterZone.Net
Wed Apr 21 18:21:19 BST 2004


On Wed, 21 Apr 2004, Ted Mittelstaedt wrote:

> 
> 
> Uh, I don't claim to be the worlds expert on BGP but hasn't this
> old argument already been addressed a bazillion times before?
> 
> As I understand it, the answer has been for smaller ISP's to use
> packet filters that drop packets with destination IP's of router
> interfaces, (except from the other BGP peers, and management
> stations and such, obviously) and for the larger networks where
> packet filters are impractical, they can use either private IP
> numbers on their BGP peering circuits, or microallocations that
> they don't globally announce.
> 
> Am I wrong or is this just another case of incompetents who
> don't understand how to build internetworks, and think that this
> MD5 stuff is the only answer?
> 
> Ted


Ted,

Filtering on *your* side of the connection will protect your *peers* from 
the attack if it transited via you but, it won't protect you from packets 
that transit your peer to you.

This is why it is such a problem.  It's hard to enforce a security policy 
on infrastructure that you don't directly control.

John






More information about the Quagga-dev mailing list