|
Thread Index Re: Application Note: Securing BGP on Juniper Routers
Iljitsch van Beijnum wrote: --snip -- > > > If addresses are spoofed (which they quite often are) then there will > > be no set of IPS whereby you can configure appropriate filters. > > Yes. This is the main weakness of the whole thing. That's why the war > against spoofing is so important. It's really easy to solve with some > filtering, but many networks still refuse to do this. > > ISPs with their own peering can filter their peers, so they at least have > partial protection against spoofing. > In peering there is only one golden rule: Do not accept anything from your peer unless this peer is authorized to announce what is agreed upon. This works out well for ISP customers and ISP's, since the customer (as a stub) would accept any BGP routes from the ISP (but the default route or the bogons), and the ISP would accept only the prefixes the customer is entitled to. This counts not only for BGP advertisements, but also for Source IP's of day-to-day traffic. -Thou shalt not enter my network if thou identifies thouselves improperly- And if every user would do it, it would not be a problem, ant it would even be called "good internet practice". But it implies applying the Rob-template to every Internet-facing customer router. And with that comes the maintenance that you tend to see as not 'part of your job' It will be more difficult for ISP-ISP peering, since one ISP cannot control filtering a neighbor ISP. ISP's have the possibility (and some also use them) to compare route announcements with the RADB database. Since many customers do not register their prefixes with RADB, it is nor a reliable source for filtering, but still some ISP's do. As some customer who do not, thinking 'tough luck', and some customers who do, this is not a reliable instrument to filter ISP-ISP peering. In very rare cases you have the oportunity to bypass these ISP-ISP filters with a little trick :o) --snip-- > > I'm still not seeing much benefit to taking this approach given the > > additional $ and complexity for a solution that doesn't protect you from > > spoofed attacks. > > This is a reasonable point of view. However, it seems that the people who > are in the best position to do something (large ISPs) are the least > interested in taking action. --snip-- All ISp's I've worked with I will have to tell them what prefixes I will announce whir what AS#. If you work wit an ISP that does not have that requirement, drop that ISP immediately. General rule: 1) If you cannot handle all Internet prefixes (memory restraints) you will accept a BGP default route, and a default route ONLY. 2) If you do not accept a BGP default route, perform BGP bogon filtering, and accept the fact that you are responsible for updating the rules. 3) If you accept IP Internet traffic, do not accept it if it has a Source IP that falls within your bogon list, or has an IP that belongs to your AS. And accept only Destination IP's that belong to your AS. If you want, you can collapse these rules to the following single rule: 1) Do not trust anyone. Not even youself :o) > > Iljitsch van Beijnum -- commercial break -- Ton Schoenmakers <- Previous Message | Next Message -> Thread Index |
|
