[nsp] MD5 causes bigger problem than it fixes?
Rubens Kuhl Jr.
rubens at email.com
Wed Apr 21 18:16:29 EDT 2004
> Generally speaking, IXPs can't filter on IP address because they are not
> privy to the agreements between different connected parties and thus
> can't tell what should be accepted.
I was thinking at MAC-filtering at the peer router, not at IXP fabric.
> BGP packets from one peer can definitely come from another peer.
> Consider the following:
>
> +-----------+ +-----------+
> | AS1 |---| AS1 |
> | router1 | | router2 |
> +-----------+ +-----------+
It's stiill a finite set of MAC addresses...
> >> is there a solution to protect against this issue?
> > BGP-over-IPSEC ?
>
> Same CPU issue as MD5, is it not? For directly connected sessions
> there's the TTL hack (if Juniper implements it soon too, at least).
May be, may be not. Needs real testing as well, with both CPU-based routers
(7200) and routing-engines (GSR GRP, Juniper RE).
Rubens
More information about the cisco-nsp
mailing list