Ah, but if you are really worried about that extra 60 to 90 seconds to form the bgp relationship, you probably have other problems - flapping comes to mind, link stability could be an issue (let's face it, if you're running bgp, you should be on fairly stable links). Setting aside bandwidth for bgp relationships to avoid drops on a busy link is a good idea as well.
I'm more than willing to make small sacrifices to ensure that my link is stable and my bgp relationships are secure, rather than let every scipt kiddie out there take a shot at downing my networks. Granted, I'm not a major ISP, but I think that they could handle setting up md5 for the few AS to AS connections that they probably have. I have 14 individual AS's on my corporate network, however I'm connecting into an MPLS backbone that sorta makes the issue of md5 a non-starter - though I have pushed for it and hope to see it available to me soon. Anarchy rules! Right? Andras -----Original Message----- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 10:49 PM To: Andras Bellak; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Latest Hackers Target: Routers [7:29844] I know from my studies that there is BGP neighbor md5 authentication. Somewhere in my reading I seem to recall that employing authentication can add 50-100% to the time it takes a neighbor relationship to form. Fine for lab work. maybe not so fine in the world of the production ISP. phrak, this is all we need. ISP's start preventing BGP packets from any but known and trusted sources to cross their networks and there go the internet BGP practice labs. damn anarchists. Chuck ------- neighbor password To enable Message Digest 5 (MD5) authentication on a TCP connection between two Border Gateway Protocol (BGP) peers, use the neighbor password router configuration command. To disable this function, use the no form of this command. neighbor {ip-address | peer-group-name} password string ------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andras Bellak Sent: Thursday, December 20, 2001 9:59 PM To: [EMAIL PROTECTED] Subject: RE: Latest Hackers Target: Routers [7:29844] Nigel- If you dig back through the NANOG archives, there was a rather in depth and discouraging discussion of encrypting / authorizing BGP session neighbors. The general result was that almost nobody supported it, and many in the ISP groups that offer BGP connectivity didn't even know what it was. While it might or might not be on the CCIE exams, having some form of authentication between routing partners is a good thing to practice in your test labs, and put into production in your networks. Andras -----Original Message----- From: Nigel Taylor [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 8:33 PM To: [EMAIL PROTECTED] Subject: Re: Latest Hackers Target: Routers [7:29844] Chuck, Yes, I got the thread on this today and forwarded a copy to some of my co-workers. I hope folks are making use of the various IOS implementations to limit the damage done by a prospective attacker. Things like CBAC, rate-limit could go a long way in simply providing the needed time to identify a serious attack and implement more specific filtering techniques to identify or completely block the attacker. As it applies to the sniffing of BGP packets to gain route information, I was wondering where do things stand now on the implementation of encrypted authentication within BGP. If I'm not mistaken, isn't this suppose to happen along with support for IPv6. This document references authentication which sounds like the existing support for MD5 based authentication. http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg 9(a) ) Now this document does seem to address current issues with respects to the flaws/vulnerabilities inherent to all TCP based protocols. The important thing to note is this can be done without the presence of a MPLS aware backbone based on the model identified by RFC2547bis (MPLS/VPN). http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t xt Thoughts anyone.. Nigel . ----- Original Message ----- From: "Chuck Larrieu" To: Sent: Thursday, December 20, 2001 10:14 PM Subject: RE: Latest Hackers Target: Routers [7:29810] > anyone see a thread about this on NANOG today? The archives are not up to > date with today's topics. > > Chuck > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Eric Rogers > Sent: Thursday, December 20, 2001 1:29 PM > To: [EMAIL PROTECTED] > Subject: OT: Latest Hackers Target: Routers [7:29810] > > > Paste into your browser: > > dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29863&t=29844 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
