North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Winstar says there is no TCP/BGP vulnerability
On Wed, Apr 21, 2004 at 11:11:57AM -0400, Patrick W.Gilmore wrote: > > On Apr 21, 2004, at 10:38 AM, Jared Mauch wrote: > > >On Wed, Apr 21, 2004 at 10:19:10AM -0400, Patrick W.Gilmore wrote: > >> > >>>Yes, it generates more work to update the database, > >>>but OTOH it provides the LIII engineer with a lot more to > >>>troubleshoot > >>>issues. Is it simply not worth the work at your scale? > >> > >>Exactly. > >> > >>And you do not have to be at 701's scale for this to not work. > > > > We've not had these issues and have been using > >bgp passwords/md5 for years. We do have a fancy configuration > >managment system in place, whereby people put things into the > >database first before they configure the router. > > Sorry, in this particular post, we were (or at least I was) talking > about having prefix filters for all your peers. I know I've talked a > lot about MD5 lately, just thought it would be a nice change of > subject. :) (sorry, i was speaking to the md5 issue here as well.. but i can comment on the peer prefix-filtering issue as well..) > If you do prefix filter all your peers, that is impressive. Do you get > out of sync a lot? Does it help keep the network more stable? Or do > process problems make it worse than just max-prefixes on a peer? We have some peers that fluxuate prefix ranges enough (even in a 24 hr period) it is causing problems. we had 4MB+ router configs @ LINX when we were doing full peer prefix filtering. It's easier to do in Europe as RIPE provides a well-structured (yet annoying at times) registration system whereby people need to know how to do set up the route objects to get PI space. People also tend to be more clued there than joe-average ISP elsewhere that runs BGP. People here say "why should i have to register my routes, just accept what i announce" whereas people in europe have (more than) half the work already done as part of their obligations/interaction with RIPE. - jared -- Jared Mauch | pgp key available via finger from email@example.com clue++; | http://puck.nether.net/~jared/ My statements are only mine.