[nsp] MD5 causes biggern problem than it fixes?
Gert Doering
gert at greenie.muc.de
Wed Apr 21 15:47:39 EDT 2004
Hi,
On Wed, Apr 21, 2004 at 12:25:38PM -0700, Dan Hollis wrote:
> On Wed, 21 Apr 2004, Gert Doering wrote:
> > Please elaborate how an anti spoofing filter could look like that
> > will solve the problem in the following eBGP example:
> Um, tell your upstream to filter? Seems a prudent thing to do.
Exactly my point, thanks.
Access-Lists that *you* install will not protect *your* infrastructure.
If your upstream (or any of the participants on a shared IXP
infrastructure) messes up *their* filters, then *your* eBGP is
vulnerable.
And MD5 plus RST/SYN rate limiting will mediate that.
(This doesn't mean that you should neglect anti-spoofing filtering.
Of course not! Anti-spoofing filtering will protect your iBGP, and
will protect everybody else from spoofed packets coming in from your
customers)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list