Firewalls: Re: Dynamic Routing: Security Problems?

Firewalls
(February 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Dynamic Routing: Security Problems?
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Thu, 16 Feb 1995 19:53:36 +1100 (EDT)
To:	johns @ oxygen . house . gov (John Schnizlein)
Cc:	firewalls @ greatcircle . com, stempfld @ CC . IMS . DISA . MIL
In-reply-to:	<9502152218 . AA30713 @ oxygen . house . gov> from "John Schnizlein" at Feb 15, 95 05:18:24 pm

[...]
> For the paranoid: if a bad-guy gets control of core routes for your ISP,
> you're toast. Actually, judicious use of default routes and packet filtering
> for "impossible" route paths limits the damage to denial of service.
> Do not believe routing updates unless the damage to the other guy is much
> worse than the damage to you if they are bogus. (Why ISPs take good care.)
> Worry about this only after all reusable passwords are gone from your hosts.

Whilst I understand the whole point of running a routing daemon is to take
advantage of changing network toplogy, for many networks, there is a single
route out onto the big bad Internet.  I find that using static routes (added
at bootup) and then using gatd to ONLY advertise routes seems to work quite
well.  This saves me lots of worry as even if someone sends me a bogus
update, it is just ignored :-)

darren

References:

Re: Dynamic Routing: Security Problems?
From: johns @ oxygen . house . gov (John Schnizlein)

Indexed By Date	Previous:	Re: Address translation From: P . vanMossel @ telecom . ptt . nl
Indexed By Date	Next:	Re: Dynamic filtering routers? From: Alex Chartier <a5charti @ ashley . business . uwo . ca>
Indexed By Thread	Previous:	Re: Dynamic Routing: Security Problems? From: johns @ oxygen . house . gov (John Schnizlein)
Indexed By Thread	Next:	Re: Dynamic Routing: Security Problems? From: Tom Fitzgerald <fitz @ wang . com>