[nsp] bgp vulnerability?
Gert Doering
gert at greenie.muc.de
Wed Apr 21 04:18:18 EDT 2004
Hi,
On Wed, Apr 21, 2004 at 10:10:49AM +0300, Ilker YILMAZ wrote:
> How can i block RSTs that do not carry valid MD5 hash using
> access-lists, or is there a way to do that otherwise?
To be effective, the RSTs need to have a spoofed source address. While
you cannot filter on RST-without-MD5 explicitely, you don't have to -
switch on MD5 on your BGP sessions (so the router will automatically
ignore RST-without-MD5), and install proper anti-spoofing filters.
> Let's say that i
> provide customers internet access via my backbone and i'm talking bgp to
> my providers and want to secure this bgp updates?
Switch on MD5 towards your upstream providers.
Install an access-list on your upstream links that will reject packets
coming in with a source address belonging to your network. This way,
spoofed RSTs targeting your BGP links to your customers won't be able
to enter your network.
Install ACLs on your customer links, preventing packets with source
addresses not belonging to the customer from entering your network. This
way you protect everybody else. On single-homed customers and Cisco
gear, the easiest way is to enable "ip verify unicast reverse-path" on
all customer interfaces.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list