Hank Nussbacher wrote:
You mean like for BGP neighbors? Wanna suggest an alternative? :-)
tcp/md5 + gtsm (assuming directly connected peers) makes messing around with bgp sessions rather difficult. Filtering BGP packets at the edge and borders slightly more so. If you have CPU and sufficient quantities of administrivium to spare, you can use ipsec on your routers for these sessions. The real issue is how to make compromising bgp sessions sufficiently difficult to make it an unattractive target. Given that the cost of getting write access to the DFZ is not really very high either technically or financially, I'd propose that while gtsm / md5 / filtering aren't perfect, they raise the bar high enough to make it not really worth someone's while trying to break them; and IPsec more so. Nick