On Tue, Apr 20, 2004 at 01:45:20PM -0700, Matthew Dillon wrote: > On the other hand, BGP can be trivially protected. You don't need > ingress or egress filtering at all (by which I mean IP block filtering), > you simply disable the routing of any packet to or from port 179. > 99.9% of all BGP links are direct connections (meaning that they > terminate at a router rather then pass through one). No packet to > or from port 179 has any business being routed from one network to > another in virtually all BGP link setups so the fix is utterly trivial. most multi-router, multi-link setups use peering with a multihop address of some other router (or route server) to provide equal cost balancing. RFC3682 describes something along the same vein of what you suggest, but handles non-directly connected cases (multihop, tunnels, etc) better. vendor J lets you dynamically build your firewall rules such that you can actually just create a term "allow from all bgp neighbors in the config AND port 179 AND protocol tcp". vendor C would do well to provide something similar. those running freebsd bgp daemons should consider building something similar that feeds ${freebsd_packet_filter} from a ${freebsd_routing_daemon} configuration file. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"