[c-nsp] BGP MD5 DDOS ?
Dobbins, Roland
rdobbins at arbor.net
Sun Sep 16 00:10:14 EDT 2012
On Sep 15, 2012, at 7:58 PM, Nick Hilliard wrote:
> The general advice is still to use copp or acls to deprioritise unknown bgp traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise md5 is a matter of choice. Some people like it; others don't.
Concur.
There are no recorded instances of MD5 keying contributing to a DoS in the wild, AFAIK. And of course if you use iACLs, CoPP, GTSM, you therefore keep unwanted traffic off your session in the first place.
MD5 keying is useful as a safeguard to make folks really think before they bring up new peers. Sort of a last-ditch, "Are you *really* use you want to do this, have you done everything else necessary to secure and protect this new routing relationship?"
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list