I agree with the part that there are many human related problems with BGP configs and policies implementations. But that's the case with other protocols as well. In BGP's case it's probably showing more of people's carelesness or misunderstanding of the working of the protocol since as you mentioned there are rare instances of protocol implementations besides the Internet. All the things you can implement facing the customer are fine and dandy, you can protect yourself and the customer has to adhere to certain policies as well. I think there is a problem with the scope of some networks, if you have to deal with filtering and such of hundreds or thousands of prefixes then you will see there is a good chance for mistakes. This is probably even more a case with inter-provider peerings, where you are really limited to what you can do as the work load on you would be quite substantial. Even if you did the proper work, there are cases for updates and revisiting where you can run into additional problems.
All in all, I don't think the problem is with the protocol, it's the diveristy of the networks that need to be supported, lack of consistent information and obviously the human factor. ""Logan, Harold"" wrote in message news:[EMAIL PROTECTED] > In my uneducated opinion, it seems to me like there are much larger concerns > out there than BGP security. I say uneducated because I haven't worked for > an ISP, nor have I worked for any other organization that would run BGP. My > BGP experience consists of reading and lab work, that's it. I'm a Cisco > Network Academy instructor, and the majority of my experience is from lab > work and consulting. I'm teaching my first CCNP Routing class starting next > week, so any input from those in the know would be appreciated. Hell, I'll > appreciate input from those not in the know, I'm not picky... just don't > expect me to take it as gospel truth. > > When I tell a router to peer with another BGP speaker, I can put > restrictions on it. I can tell it what AS paths I'll accept from that peer, > and what prefixes I'll accept from that peer. If I'm an ISP peering with a > customer who has the class C network 210.5.5.0 assigned to them, do I not > have a responsibility to configure my BGP router to ignore any BGP > advertisements from that customer that are not advertising 210.5.5.0? I know > that no one is going to hold me to it, it's not like the IETF has a squad of > mercenaries who are going to kick the door in and check my configs, but > doesn't that responsibility fall to both the customer and the ISP? > > Sorry if I'm off base here, but that's my basic understanding of how things > work; the customer has a responsibility to only advertise their networks, > and the ISP has a responsibility to only accept advertisements for that > customer's networks. Does the same relationship exist among ISPs, or do > things get too complex to filter updates at that point? > > It seems like the "security hole" in BGP is the human that configures a BGP > router to accept any route it gets. Thoughts? > > Hal Logan CCAI, CCDP, CCNP: Voice > Network Specialist / Adjunct Faculty > Computing & Engineering Technology > Manatee Community College > > > > -----Original Message----- > > From: Edwin R. Gonzalez [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 28, 2003 11:39 PM > > To: [EMAIL PROTECTED] > > Subject: Who likes BGP? [7:64132] > > > > > > Hey, > > > > It's your friendly neighborhood CISCO MAN!!!!! > > Sorry, it's Friday night, I'm still at work with a coffee > > buzz that might last me until the morning. > > > > I came across this article that might be of interest to > > some people, check it out; > > http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed > > > > > > > > -- > > _________________________________ > > The harder you work, the luckier you get! > > _________________________________ > > The only place success comes before > > work is in the dictionary!!! > > _________________________________ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64167&t=64132 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
