[c-nsp] Best practise/security design for BGP and OSPF
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Mon May 29 04:54:34 EDT 2017
> Saku Ytti [mailto:saku at ytti.fi]
> Sent: Friday, May 26, 2017 2:48 PM
>
> On 26 May 2017 at 14:44, <adamv0025 at netconsultings.com> wrote:
>
> Hey,
>
> > Regarding OSPF unless you are using virtual-links or sham-links, then
> > all messages are bound to a directly connected subnet so you can
> > safely implement the ttl check with 254 (one hop).
>
> This is implementation specific and you need to know which one it is.
> If figuring out it is challenging start with 255 and see if it works, if not, revert
> to 254. For example in JNPR lo0 filter we verify that ICMP ND has hop-limit
> 255, because it's done before TTL is decremented, verifying 254 would
> expose us to ICMP ND attacks from one hop off-link.
>
Yeah it might need a bit of jigging to get the TTL value right.
But once again the edge filters (iACLs) should not allow OSPF towards edge-interfaces, internal-infrastructure and loopbacks address ranges.
As a matter of fact the set of protocols that should be allowed in iACLs is pretty narrow.
All I'm trying to say is that doing security within the core is too little too late, yes security has to be implemented in a layered approach (e.g. if your iACL is misconfigured you still have TTL sec), but securing OSPF without good iALCs won't cut it.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the cisco-nsp
mailing list