On Tue, 20 Apr 2004, Blaine Christian wrote:
The other is our new hot topic of security, not sure if anyone has thought of this yet (or how interesting it is) but the nature of the bgp attack means that if you can view a BGP session you can figure things about a peer that would otherwise be hidden from you in particular the port numbers in use.. and I'm not entirely clear on the details but it sounds like when you hit the first session, you can take the rest out very easily.
We cant take BGP out of band (yet!), perhaps we can keep it better hidden from view tho..
There are more protection methods available than just MD5 (as you allude to Steve). One mitigator is to use "non-routed" space for BGP peer connections. If you have the ability to filter on TTL 255 you are in even better shape (arguably perfectly secure against all but configuration/hardware failures). You have some vulnerability with non-routed space if you do default routing or have folks who default towards the device doing the BGP peering though. Source routing is also a potential hazard for the non-routed solution (does anyone have this enabled anymore?).
Apologies for the morph but this raised a great point.
Hmm ok so assume for a moment that I dont want RFC1918 for my links, what are my options? : There isnt a "link-local" for IP altho this would be a great solution (surely this can be written for BGP??). Or I could use all eBGP addresses from a block which I dont route and filter internally.. I suspect this is a non-starter, I will have to include all my addresses given to me by peers and its gonna screw traces, monitoring etc. Can I use secondary IP addresses and then BGP with these addresses, this would be a form of "security by obscurity" but providing you can keep the info a secret thats surely going to do it? Steve