From: Randy Bush [mailto:randy@psg.com]
Sent: Monday, September 17, 2001 1:45 PM
inter-isp peering and intra-isp ibgp to be covered fairly quickly. i
would suggest having one's provisioning folk working with
bgp customers
to close that avenue as well, starting with the more
critical customers.also, think about your igp.
Why, IGP shouldn't even be visible from outside the border, neh? Internal
issues are, internal issues. If it leaks, plug the leak.
You obviously haven't had cases where a telco cuts or swings
the wrong circuit.
Telco: "We think we've swung it ok"
Me: "Circuit is still up, never took a hit"
Telco: "Hmm."
me (thinking): "I wonder whose circuit they just took down"
with cdp or looking at the path-trace one could take advantage
of these situations with great ease.
- jared
Randy said _think_ about it. Does your IGP run over IP? Might
that be a vector? Might your customers have the ability to do
things that non-customers cannot? Does your architecture require
you to mark all customer-facing interfaces as "passive"? Do you
verify regularly that you don't have a misconfiguration in this
area? Are you vulnerable to arp games at your point of customer-attach?
Do you have SNMP access to your routers carefully filtered? Are
you running multicast? Are there bugs that affect only multicast
routing? Are you running code that is vulnerable to those bugs?
I'm sure there are other avenues of attack, but these are just a
few that we've considered here.
If I can compromise your IGP I have a very good chance of being
able to melt down your entire network, or at least large portions
of it, almost at will. In large networks, IGPs tend to go absolutely
haywire when they fail and the resulting implosion often obliterates
most traces of the event that started it -- at the very least, one
has to sift through mountains of log data to find the beginning of
the end. Having been through this once, and working with folks
who went through it elsewhere on even larger networks, I assure
you that recovery time from such an event can stretch from several
hours to a few days.
--Jeff
Roeland Meyer wrote:
Why, IGP shouldn't even be visible from outside the border, neh? Internal
issues are, internal issues. If it leaks, plug the leak.
It may be possible for for an attacker to send updates either from the
outside or perhaps more effectively from inside via a compromised host.
In addition to authentication mechanisms, anti-spoofing/sanity filters
could also help. Disabling the reception/advertisement of updates from
certain physical interfaces entirely that don't need them may also be
helpful.
John