I continue to encourage service providers who are peering with one
another to use MD5 route authentication (when possible) when
establishing BGP peering. This can, at least, thwart someone clever
from feeding you bogus routes. (The same functionality is available
for OSPF and RIPv2 within cisco IOS.)
This means that each segment sent on the TCP connection between BGP peers
is verified against this hash.
Of course, this does nothing to thwart someone from flooding a given
host with TCP SYN's, as these are generally passed along in the traffic
stream.
This is a harder problem to solve than one would suspect.
- paul
At 05:27 PM 9/12/96 -0600, Todd Truitt wrote:
>
>Perhaps a valid solution to this would be to implement
>crytographic authentication between the external interfaces of
>the autonomous systems. What I'm trying to get at is for
>cisco routers (for example) to use a crypto key inside each
>BGP header which is based upon domain name, IP address and hardware
>address which will be authenticated by it's nieghbors as the packet
>traverses the next hop. If authentcation fails, the packet gets
>dumped into the bit bucket in the sky. This way, the SYNs never
>become an overwhelming problem absorbing CPU cycles and bandwidth
>because they are dumped before they traverse the OSI stack. Bellovin
>touches upon crytographic authentication in RFC 1948, but he's
>discussing it in the transport layer while I'm moving along the
>lines of testing on the network layer.
>
--
Paul Ferguson || ||
Consulting Engineering || ||
Reston, Virginia USA |||| ||||
tel: +1.703.716.9538 ..:||||||:..:||||||:..
e-mail: pferguso @
cisco .
com c i s c o S y s t e m s
Follow-Ups:
|
|
