On Tue, 20 Apr 2004, Rodney Joffe wrote:
However, perhaps someone from Winstar would care to help us all understand what the alternative solution is to securing the session via MD5? I would *love* an alternative to the 5 days of work we've just gone through.
1) Deploy correct ingress/egress filtering at all of your edges, and 2) Make sure your upstreams/peers do that as well at least for the p-t-p prefixes you use between you and them. If you can't assume 2), you need something like GTSM or MD5 for the BGP sessions between you and your peers/upstreams. Note that I assume that if customers don't do ingress/egress filtering for their p-t-p prefixes, they are shooting themselves in the foot, and are the only people suffering from the resets. Similar techniques as mentioned in the previous paragraph could be applied as well, of course. That is, a thing most people seem to be forgetting that for these TCP packets to be processed, they must be spoofed to come from a certain source IP address. If packets spoofed from that address are summarily discarded at appropriate places before reaching the infrastructure, you're pretty much safe. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings