RE: Winstar says there is no TCP/BGP vulnerability
David Luyer wrote: 98 of the first 100 did not reset. Today, I did another 12 and only one failed.
Thanks for the feedback.
If you have a fully redundant internal BGP, and are running all 12.2S/12.3/12.2T, then you can rather safely do the internal BGP passwords without a customer notice, expecting no session drop but knowing if one did you'd have routes via a second BGP reflector anyway.
Ack.
Christopher L. Morrow wrote: use a route-map to add/remove metric or localpref? or any other settable thing on your side? or prepend or ....
Michel Py wrote: Based on what criteria? Both the peer and the transit announce the same prefix with the same AS-PATH length. I agree that in many cases, favoring the route coming from the transit provider would work,
Iljitsch van Beijnum wrote: Huh? You don't pay for peering traffic by the megabit, so the idea is to always prefer routes from peers.
Indeed, but we were talking about what to do with routes coming from the peer that are not supposed to. Legit routes announced by the peer will naturally be preferred, either because the prefix is longer than the one received from transit, or because the AS-PATH is shorter as the prefix is connected directly to the peer. Michel.
participants (1)
-
Michel Py