[nsp] bgp vulnerability?
Dmitry Volkov
dmitry.volkov at rogers.com
Tue Apr 20 16:55:57 EDT 2004
Well I was not asking about operational workarounds - like MD5 And RFC 2827,
etc but rather about vendor's fixes like Checkpoint, IIJ, I'm sure cisco
will come up soon...
> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Tuesday, April 20, 2004 4:42 PM
> To: Dmitry Volkov
> Cc: 'Steve Francis'; 'Don Bowman'; cisco-nsp at puck.nether.net
> Subject: Re: [nsp] bgp vulnerability?
>
>
> Hi,
>
> On Tue, Apr 20, 2004 at 04:34:15PM -0400, Dmitry Volkov wrote:
> > I'm just wondering - because it's valid RFC 793 behavior,
> > how it can be avoided ?
> > by not complaining with RFC ?
> > If sequence number has to match exactly (but not in the
> window) - then there
> > may be
> > quite often situations when valid Reesets will not work
>
> Ignore all RSTs that do not carry a valid MD5 hash.
>
> Make sure that no packets with spoofed source addresses can
> enter or leave
> your network.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list