I know from my studies that there is BGP neighbor md5 authentication.
Somewhere in my reading I seem to recall that employing authentication can
add 50-100% to the time it takes a neighbor relationship to form. Fine for
lab work. maybe not so fine in the world of the production ISP.
phrak, this is all we need. ISP's start preventing BGP packets from any but
known and trusted sources to cross their networks and there go the internet
BGP practice labs.
damn anarchists.
Chuck
-------
neighbor password
To enable Message Digest 5 (MD5) authentication on a TCP connection between
two Border Gateway Protocol (BGP) peers, use the neighbor password router
configuration command. To disable this function, use the no form of this
command.
neighbor {ip-address | peer-group-name} password string
-------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Andras Bellak
Sent: Thursday, December 20, 2001 9:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Latest Hackers Target: Routers [7:29844]
Nigel-
If you dig back through the NANOG archives, there was a rather in depth
and discouraging discussion of encrypting / authorizing BGP session
neighbors. The general result was that almost nobody supported it, and
many in the ISP groups that offer BGP connectivity didn't even know what
it was.
While it might or might not be on the CCIE exams, having some form of
authentication between routing partners is a good thing to practice in
your test labs, and put into production in your networks.
Andras
-----Original Message-----
From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 20, 2001 8:33 PM
To: [EMAIL PROTECTED]
Subject: Re: Latest Hackers Target: Routers [7:29844]
Chuck,
Yes, I got the thread on this today and forwarded a copy to
some of my co-workers. I hope folks are making use of the various IOS
implementations to limit the damage done by a prospective attacker.
Things
like CBAC, rate-limit could go a long way in simply providing the needed
time to identify a serious attack and implement more specific filtering
techniques to identify or completely block the attacker.
As it applies to the sniffing of BGP packets to gain route information,
I
was wondering where do things stand now on the implementation of
encrypted
authentication within BGP. If I'm not mistaken, isn't this suppose to
happen along with support for IPv6. This document references
authentication which sounds like the existing support for MD5 based
authentication.
http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg
9(a) )
Now this document does seem to address current issues with respects to
the
flaws/vulnerabilities inherent to all TCP based protocols. The important
thing to note is this can be done without the presence of a MPLS aware
backbone based on the model identified by RFC2547bis (MPLS/VPN).
http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t
xt
Thoughts anyone..
Nigel .
----- Original Message -----
From: "Chuck Larrieu"
To:
Sent: Thursday, December 20, 2001 10:14 PM
Subject: RE: Latest Hackers Target: Routers [7:29810]
> anyone see a thread about this on NANOG today? The archives are not up
to
> date with today's topics.
>
> Chuck
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Eric Rogers
> Sent: Thursday, December 20, 2001 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: OT: Latest Hackers Target: Routers [7:29810]
>
>
> Paste into your browser:
>
> dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29862&t=29844
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
