On Wed, Aug 14, 2002 at 01:23:01PM -0400, Sean Donelan wrote:
4. Don't exchange routing information with external parties
And don't trust them. Use limits on the amount of prefixes you're willing to accept. Verify routes received with some third party (e.g. routing database).
5. Explicit routing neighbor assocations - passive-interface default
Both inbound and outbound. On Cisco's, in addition to passive-interface you might do 'distribute-list 1 in <interface>' where 1 is an ACL that can be simply 'deny any'.
6. Address validation on all edge devices
Filter to only allow neighbor IPs to the specific routing protocol. For example on a BGP peer, filter TCP port 179 on each peer interface to only allow the expected peer IP. Also: Apply damping as appropriate, but protect subnets serving root DNS servers from accidental damping. Limit maximum prefix length you're willing to accept. Make extensive use of remote logging and monitoring. Keep an eye on routing table changes over time and the overall operation of the routers. Filter out known bogus routes such as reserved, private, and special use address space as appropriate. John