So whose volunteering to write the update?! Peter Knapp
-----Original Message----- From: uknof [mailto:[email protected]] On Behalf Of Nick Hilliard Sent: 17 December 2015 14:16 To: Matthew Walster; Gavin Henry Cc: [email protected] Subject: Re: [uknof] BGP configuration best practices from ANSSI and others On 17/12/2015 13:51, Matthew Walster wrote: > 1. Don't use uRPF on a peering router, and if you are, loose mode > seems pretty dumb on a full transit router. on system which tie null0 into the urpf mechanism, this is a good means of implementing s/rtbh. Strict urpf at a peering exchange is obviously bananas, unless you're a leaf network or if you hate your customers. Fine at the customer edge; useless everywhere else. > 2. Those are some really bad filtering examples, and if you just used > it as a factsheet there are missing entries which you may falsely > assume don't matter. Filtering all >/48 v6 prefixes seems a little odd too -- > why that size? same as /24 for ipv4: it stops people who accidentally leak their entire interior routing table from causing damage to everyone else. > 3. TCP MD5 for BGP. They say it's not cryptographically secure, then > go on to say you should use a strong password. Which? How about just > using the > MD5 password as a prevention of fat-finger incidents as I imagine 90% > of people do (the rest assuming that it provides a level of security > it doesn't provide)? md5 for bgp is a good idea at IXPs. The reason why is that IP addresses are re-used from time to time and unless you clean out your old peering sessions regularly, you can potentially end up accidentally peering with chancers who spoof old members' ASNs. Otherwise they're a bit useless, but hey, if your security policy demands them, there's no reason to have a fight about it. They're harmless. Nick
