[c-nsp] Best practise/security design for BGP and OSPF

CiscoNSP List CiscoNSP_list at hotmail.com
Wed May 24 22:25:20 EDT 2017 

Cheers for the replies - Just to clarify, these templates were for purely PE->RR (Not for transit), we do run key-chain auth on OSPF, and I was hoping to do likewise for iBGP -> RR's, but I dont *think* key-chains are supported in XE (Yet?)...I need to do some more reading, but I believe XR supports it, but not XE?  Regarding TTL....(In both OSPF and BGP)....hop count can be arbitrary, if we encounter a link failure...do we just use worse case scenario hops ?  Is there anything you'd add/remove from the templates that Ive sent through?  (Obviously soft-reconfig inbound chews memory, and can be removed, but things like max-prefix .....have it currently set at warning only...recommend killing the session for x minutes if it's exceed?)....any other suggestions are greatly appreciated....thanks.


________________________________
From: Saku Ytti <saku at ytti.fi>
Sent: Tuesday, 23 May 2017 7:10 PM
To: adamv0025 at netconsultings.com
Cc: CiscoNSP List; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF

On 23 May 2017 at 12:00,  <adamv0025 at netconsultings.com> wrote:

Hey,

> Regarding OSPF,
> Best security is to use it solely for routing PE loopbacks (i.e. no
> connectivity outside the core).

But because it's IP, you might receive spooffed packet further down
the line and believe you received it from far-end. So OP's question
about TTL-security is valid one, and I'd support that. I'd also run
MD5 auth.
But of course if you have good iACL, stopping internet from sending
other than ICMP, UDP highports to links and loops, you should be
pretty safe.

ISIS and OSPF have quite interesting properties, ISIS is more secure
out-of-the-box, but in many cases you cannot stop box from punting
CLNS packets, so any edge-interface may reach control-plane by crafted
CLNS packets (without ISIS being configured on the interface).
Where-as OSPF out-of-the-box is less secure due to IP, but pretty much
every box supports ACLs, allowing you to consistently protect box.'

--
  ++ytti

More information about the cisco-nsp mailing list