[nsp] bgp vulnerability?
Gert Doering
gert at greenie.muc.de
Tue Apr 20 18:17:41 EDT 2004
Hi,
On Tue, Apr 20, 2004 at 05:07:37PM -0400, Jared Mauch wrote:
> > A *real* vendor fix would be to completely decouple the control plane
> > from the forwarding plane.
>
> You can run your iBGP in a vrf already, I assume you've
> at least taken this level of securing your devices based on your
> above statement :)
Actually I haven't, as not all our boxes have the necessary feature set.
We have made sure, though, that packets with a source address that would
match one of the iBGP sessions can not enter our network (long ago
already). Plus MD5.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list