[nsp] MD5 causes biggern problem than it fixes?

Edward Henigin ed at texas.net
Wed Apr 21 15:26:34 EDT 2004


On Wed, Apr 21, 2004 at 12:06:51PM -0700, Dan Hollis said:
> 
> Or you could just put anti spoofing filters at your borders and kill this 
> BGP vulnerability _and any future variants_ totally dead, permanently.

I'm actually a little confused about that.  Reasonable-seeming
operators have suggested that, but I don't understand how you can
configure it.  I must be missing something.

Given something like:

interface POS3/0
 ip address 192.168.100.9 255.255.255.252
!
router bgp 100
 neighbor 192.168.100.10 remote-as 200
!

It sounds to me as though you are suggesting something like:

access-list 100 deny ip 192.168.100.8 0.0.0.3 192.168.108.8 0.0.0.3
access-list 100 permit ip any any
!
interface POS3/0
 ip access-group 100 in
 ip access-group 100 out

But wouldn't that break the BGP session?

If you aren't suggesting the above, then please have patience and
forgive my denseness, and let me know what you are suggesting.
How can I tell the difference between a spoofed packet and a real
packet coming in on that interface?  (Aside from the evil bit, of
course.)

Regardless of that hurdle, I don't see filtering as a realistic
approach, due to, again, the ease of a CPU DOS when you have filters
in place.  IIRC, my Ciscos do NOT do line-rate ACLs...

Thanks,

Ed


More information about the cisco-nsp mailing list