We discussed this and thought about it a long time ago. It's an artifact of
the way the UNIX kernel API works. You don't get to "see" the IP address of
the remote peer to validate it until after you send back the SYN ACK. We
just send back the SYN ACK and FIN the connection as soon as it starts up.
ACLs are, of course, the best way to protect yourself against DOS attacks
against this port.
An automatic "generate an ACL" feature based off of the bgp peers would be a
nice feature. Thanks for suggesting it.
Paul
----- Original Message -----
From: "Greg Ketell" <gketell@juniper.net>
To: "Lane Patterson" <lpatterson@equinix.com>; "'Stephen Gill'"
<gillsr@yahoo.com>; <juniper-nsp@puck.nether.net>
Cc: <robt@cymru.com>
Sent: Tuesday, September 04, 2001 2:38 PM
Subject: RE: [j-nsp] BGP tcp/179 security on JunOS
> At 02:23 PM 9/4/2001, Lane Patterson wrote:
>
> >Yes, and they are unnecessary, and have been as far back as I'm aware,
> >which is IOS 11.x-12.x, including a few that I just sanity tested so I
> >wouldn't look like an idiot sending out this mail :-) I haven't tested
> >any old 10.3 routers.
> >
> >IOS does in fact behave as I've described, without extra effort, and I
> >doubt it would be too hard for any other leading favorite vendor to
> >incorporate this most logical behavior (Greg?) :-)
>
> Already forwarded to the developers for internal discussion. :->
> GK
>
>
> >If anyone can prove this wrong, chime in; otherwise I'd like to see
> >Rob's fine documents continue to improve with time.
> >
> >Cheers,
> >-Lane
>
>
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT