BGP Secuurity with bgp maxas-limit -viable?

Don't know whether or not I'm leaving the scope of BGP/CCIP... (Not that I care really)

I started looking into BGP security, MD5 security is just a gimme, TTL security I can understand but I found this blog post (from Cisco no less) about BGP security via bgp maxas-limit limiting the number of AS'es that can be in AS Path.

My question is how useful is this as a security tool, the second link I found poses this more as a resource management tool. (Something help with memory management.)

The first article says this can prevent route hijacking, but since the bgp maxas-limit is global and effects every route I can't see that being scalable.

Cisco Blog » Blog Archive » Securing BGP
Also found this one Protecting Border Gateway Protocol for the Enterprise - Cisco Systems

Am I missing something with bgp maxas-limit??

Find more posts tagged with

Comments

jovan88

I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.

Ryan82

A couple documents to read that will explain why:

Longer is not always better - Renesys Blog

Reckless Driving on the Internet - Renesys Blog

DPG

jovan88 wrote: »

I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.

This is true for the most part but I have seen some idiots prepend their AS dozens of times.

Look at this:

sh ip bgp paths | i 56199
0x5151DD58 3359 1 57 2914 2914 4739 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 i

SteveO86

Thanks for the reply guys, it confirms what I was thinking.

I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.

Heero

SteveO86 wrote: »

Thanks for the reply guys, it confirms what I was thinking.

I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.

That's not the real issue. The reasoning is that you don't want a full Internet routing table, but you do want your providers routes, and routes in ASs connected directly to your providers. In this way, you have a trade off between optimal routing and router resources. You would just have a default route or something of that nature to make up for missing routes that were filtered because they exceeded the max AS count.