On 16 December 2015 at 20:54, Gavin Henry <[email protected]> wrote:
> Hi all, > > This is really very good (in case anyone missed it): > > http://www.ssi.gouv.fr/uploads/2013/10/BGP_configuration_best_practices.pdf > > WOW. I would not use this, nor would I advise anyone to use it as a basis for their configurations. 1. Don't use uRPF on a peering router, and if you are, loose mode seems pretty dumb on a full transit router. 2. Those are some really bad filtering examples, and if you just used it as a factsheet there are missing entries which you may falsely assume don't matter. Filtering all >/48 v6 prefixes seems a little odd too -- why that size? 3. TCP MD5 for BGP. They say it's not cryptographically secure, then go on to say you should use a strong password. Which? How about just using the MD5 password as a prevention of fat-finger incidents as I imagine 90% of people do (the rest assuming that it provides a level of security it doesn't provide)? Please don't use that guide as the basis for any BGP speaking router in the 21st Century :) M
