[c-nsp] Best practise/security design for BGP and OSPF

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Fri May 26 07:44:57 EDT 2017


Don't use ttl check on iBGP sessions, it doesn't add any security. 

Regarding OSPF unless you are using virtual-links or sham-links, then all
messages are bound to a directly connected subnet so you can safely
implement the ttl check with 254 (one hop). 


Regarding securing PE-RR iBGP sessions, there's nothing that can be done
from security perspective, other than maybe the obligatory MD5 hash, cause
at this stage it's too late or way too complex to implement any security.
The BGP infrastructure has to be protected at the edges of the AS. 


Maybe the only other thing that you can enable if not enabled by default and
supported is the BGP enhanced attribute error handling (or even BGP
attribute filtering -but again that if implemented should be done at the

But just checked and the enhanced attribute error handling is enabled by
default on XE 3S and IOS 15. and XR 4.3. 





::carrier-class solutions for the telecommunications industry::


From: CiscoNSP List [mailto:CiscoNSP_list at hotmail.com] 
Sent: Thursday, May 25, 2017 3:25 AM
To: Saku Ytti; adamv0025 at netconsultings.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF


Cheers for the replies - Just to clarify, these templates were for purely
PE->RR (Not for transit), we do run key-chain auth on OSPF, and I was hoping
to do likewise for iBGP -> RR's, but I dont *think* key-chains are supported
in XE (Yet?)...I need to do some more reading, but I believe XR supports it,
but not XE?  Regarding TTL....(In both OSPF and BGP)....hop count can be
arbitrary, if we encounter a link failure...do we just use worse case
scenario hops ?  Is there anything you'd add/remove from the templates that
Ive sent through?  (Obviously soft-reconfig inbound chews memory, and can be
removed, but things like max-prefix .....have it currently set at warning
only...recommend killing the session for x minutes if it's exceed?)....any
other suggestions are greatly appreciated....thanks. 



From: Saku Ytti <saku at ytti.fi <mailto:saku at ytti.fi> >
Sent: Tuesday, 23 May 2017 7:10 PM
To: adamv0025 at netconsultings.com <mailto:adamv0025 at netconsultings.com> 
Cc: CiscoNSP List; cisco-nsp at puck.nether.net
<mailto:cisco-nsp at puck.nether.net> 
Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF 


On 23 May 2017 at 12:00,  <adamv0025 at netconsultings.com
<mailto:adamv0025 at netconsultings.com> > wrote:


> Regarding OSPF,
> Best security is to use it solely for routing PE loopbacks (i.e. no
> connectivity outside the core).

But because it's IP, you might receive spooffed packet further down
the line and believe you received it from far-end. So OP's question
about TTL-security is valid one, and I'd support that. I'd also run
MD5 auth.
But of course if you have good iACL, stopping internet from sending
other than ICMP, UDP highports to links and loops, you should be
pretty safe.

ISIS and OSPF have quite interesting properties, ISIS is more secure
out-of-the-box, but in many cases you cannot stop box from punting
CLNS packets, so any edge-interface may reach control-plane by crafted
CLNS packets (without ISIS being configured on the interface).
Where-as OSPF out-of-the-box is less secure due to IP, but pretty much
every box supports ACLs, allowing you to consistently protect box.'


More information about the cisco-nsp mailing list