On 17/12/2015 13:51, Matthew Walster wrote: > 1. Don't use uRPF on a peering router, and if you are, loose mode seems > pretty dumb on a full transit router.
on system which tie null0 into the urpf mechanism, this is a good means of implementing s/rtbh. Strict urpf at a peering exchange is obviously bananas, unless you're a leaf network or if you hate your customers. Fine at the customer edge; useless everywhere else. > 2. Those are some really bad filtering examples, and if you just used it as > a factsheet there are missing entries which you may falsely assume don't > matter. Filtering all >/48 v6 prefixes seems a little odd too -- why that > size? same as /24 for ipv4: it stops people who accidentally leak their entire interior routing table from causing damage to everyone else. > 3. TCP MD5 for BGP. They say it's not cryptographically secure, then go on > to say you should use a strong password. Which? How about just using the > MD5 password as a prevention of fat-finger incidents as I imagine 90% of > people do (the rest assuming that it provides a level of security it > doesn't provide)? md5 for bgp is a good idea at IXPs. The reason why is that IP addresses are re-used from time to time and unless you clean out your old peering sessions regularly, you can potentially end up accidentally peering with chancers who spoof old members' ASNs. Otherwise they're a bit useless, but hey, if your security policy demands them, there's no reason to have a fight about it. They're harmless. Nick
