|> From: Randy Bush [mailto:randy@psg.com] |> Sent: Monday, September 17, 2001 1:45 PM |> inter-isp peering and intra-isp ibgp to be covered fairly quickly. i |> would suggest having one's provisioning folk working with |> bgp customers |> to close that avenue as well, starting with the more |> critical customers. |> |> also, think about your igp. Why, IGP shouldn't even be visible from outside the border, neh? Internal issues are, internal issues. If it leaks, plug the leak.
You obviously haven't had cases where a telco cuts or swings the wrong circuit. Telco: "We think we've swung it ok" Me: "Circuit is still up, never took a hit" Telco: "Hmm." me (thinking): "I wonder whose circuit they just took down" with cdp or looking at the path-trace one could take advantage of these situations with great ease. - jared On Mon, Sep 17, 2001 at 02:32:56PM -0700, Roeland Meyer wrote:
|> From: Randy Bush [mailto:randy@psg.com] |> Sent: Monday, September 17, 2001 1:45 PM
|> inter-isp peering and intra-isp ibgp to be covered fairly quickly. i |> would suggest having one's provisioning folk working with |> bgp customers |> to close that avenue as well, starting with the more |> critical customers. |> |> also, think about your igp.
Why, IGP shouldn't even be visible from outside the border, neh? Internal issues are, internal issues. If it leaks, plug the leak.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, Sep 17, 2001 at 02:32:56PM -0700, Roeland Meyer wrote:
Why, IGP shouldn't even be visible from outside the border, neh? Internal issues are, internal issues. If it leaks, plug the leak.
Randy said _think_ about it. Does your IGP run over IP? Might that be a vector? Might your customers have the ability to do things that non-customers cannot? Does your architecture require you to mark all customer-facing interfaces as "passive"? Do you verify regularly that you don't have a misconfiguration in this area? Are you vulnerable to arp games at your point of customer-attach? Do you have SNMP access to your routers carefully filtered? Are you running multicast? Are there bugs that affect only multicast routing? Are you running code that is vulnerable to those bugs? I'm sure there are other avenues of attack, but these are just a few that we've considered here. If I can compromise your IGP I have a very good chance of being able to melt down your entire network, or at least large portions of it, almost at will. In large networks, IGPs tend to go absolutely haywire when they fail and the resulting implosion often obliterates most traces of the event that started it -- at the very least, one has to sift through mountains of log data to find the beginning of the end. Having been through this once, and working with folks who went through it elsewhere on even larger networks, I assure you that recovery time from such an event can stretch from several hours to a few days. --Jeff
Roeland Meyer wrote:
Why, IGP shouldn't even be visible from outside the border, neh? Internal issues are, internal issues. If it leaks, plug the leak.
It may be possible for for an attacker to send updates either from the outside or perhaps more effectively from inside via a compromised host. In addition to authentication mechanisms, anti-spoofing/sanity filters could also help. Disabling the reception/advertisement of updates from certain physical interfaces entirely that don't need them may also be helpful. John
participants (4)
-
Jared Mauch
-
Jeff Aitken
-
John Kristoff
-
Roeland Meyer