North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Winstar says there is no TCP/BGP vulnerability
On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote: > > On Apr 21, 2004, at 3:56 AM, Michel Py wrote: > > >>Christopher L. Morrow wrote: > >>For pure: "Don't blow me up with prefixes" just limit the > >>maximum-prefix to some # over your expected peer's list. > > > >Please allow me to try to make my point again: you store the expected > >peer maximum-prefix somewhere in your management system. I do > >understand > >the added complexity, but in the big scheme of things would it be > >_that_ > >more difficult to store a comma-delimited string or something that > >contains the prefixes that could be announced by that peer instead of > >the maximum-prefix? > > Yes. > > > >Yes, it generates more work to update the database, > >but OTOH it provides the LIII engineer with a lot more to troubleshoot > >issues. Is it simply not worth the work at your scale? > > Exactly. > > And you do not have to be at 701's scale for this to not work. We've not had these issues and have been using bgp passwords/md5 for years. We do have a fancy configuration managment system in place, whereby people put things into the database first before they configure the router. > Process is a bitch. Especially when it involves other people over whom > you no control. When people generate configs based on database actions, and if they're worng they break things and it is quickly noticed next time someone loads/commits a config. We even have scripts to check to make sure that on other devices where we can't just do 'load override' that the configs are in sync and warn of pitfalls. it takes time and effort to build a well maintained system like this. sounds like that effort has not been expended on your side. then again, i'm guesing you're dealing with less clued people and have to help them a lot with their bgp configs... - jared -- Jared Mauch | pgp key available via finger from email@example.com clue++; | http://puck.nether.net/~jared/ My statements are only mine.