On Thu, 31 Mar 2005, Pekka Savola wrote:
On Wed, 30 Mar 2005, John Kristoff wrote: [on bgp/md5 and acl's]
ACLs are often used, but vary widely depending on organization.
(and equipment in use)
It can be difficult to manage ACLs on a box with a large number of peers that uses many local BGP peering addresses. I'm sure
provided your gear supports it an acl (this is one reason layered acls would be nice on routers) per peer with: permit /30 eq 179 /30 permit /30 /30 eq 179 deny all-network-gear-ip-space (some folks call it backbone ip space, Paul Quinn at cisco says: "Infrastructure ip space") no more traffic to the peer except BGP from the peer /30. No more ping, no more traceroute of interface... (downsides perhaps?) and the 'customer' can still DoS himself :( (or his compromised machine can DoS him)
some organizations reviewed and updated their ACLs as a result of the last scare, but that is a local, private decision and it would probably be hard to get good sample of who and what changed.
some people still use 'cisco' for their password, even on non-cisco platforms :( this md5 discussion isn't the only security problem :(
I would be double careful here, just to make sure everybody understands what you're protecting.
iBGP sessions? ACLs are trivial if you have your borders secured.
ibgp, provided your infrastructure space is seperate from 'customer' space is simpler... but keep in mind the possible downsides (no ping, no traceroute, harder troubleshooting for the customers, perhaps)
eBGP sessions? GTSM is your friend (if supported). Practically, if you know your peer and you also protect your borders, ACLs are rather trivial as well.
borders, for some folks, are wide, varied and complex :( So, for some folks with limited border size/breadth making these things trivial is, of course, easy.
What you seem to be saying is using ACLs to enumerate the valid endpoints for eBGP sessions. That goes further than the above but indeed is also a pain to set up and maintain.
and impossible to implement on some hardware. Note: Some/all of that hardware is going away as time makes it fade into the background... sometimes not fast enough though. -Chris