BGP Secuurity with bgp maxas-limit -viable?

SteveO86SteveO86 Member Posts: 1,423
in CCNP Service Provider
Don't know whether or not I'm leaving the scope of BGP/CCIP... (Not that I care really)

I started looking into BGP security, MD5 security is just a gimme, TTL security I can understand but I found this blog post (from Cisco no less) about BGP security via bgp maxas-limit limiting the number of AS'es that can be in AS Path.

My question is how useful is this as a security tool, the second link I found poses this more as a resource management tool. (Something help with memory management.)

The first article says this can prevent route hijacking, but since the bgp maxas-limit is global and effects every route I can't see that being scalable.

Cisco Blog » Blog Archive » Securing BGP
Also found this one Protecting Border Gateway Protocol for the Enterprise - Cisco Systems

Am I missing something with bgp maxas-limit??
My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
· Share on FacebookShare on Twitter

Comments

  • jovan88jovan88 Member Posts: 393
    I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.
    · Share on FacebookShare on Twitter
  • Ryan82Ryan82 Member Posts: 428
    A couple documents to read that will explain why:

    Longer is not always better - Renesys Blog

    Reckless Driving on the Internet - Renesys Blog
    · Share on FacebookShare on Twitter
  • DPGDPG Member Posts: 780 ■■■■■□□□□□
    jovan88 wrote: »
    I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.

    This is true for the most part but I have seen some idiots prepend their AS dozens of times.

    Look at this:

    sh ip bgp paths | i 56199
    0x5151DD58 3359 1 57 2914 2914 4739 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 i

    icon_twisted.gif
    · Share on FacebookShare on Twitter
  • SteveO86SteveO86 Member Posts: 1,423
    Thanks for the reply guys, it confirms what I was thinking.

    I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
    · Share on FacebookShare on Twitter
  • HeeroHeero Member Posts: 486
    SteveO86 wrote: »
    Thanks for the reply guys, it confirms what I was thinking.

    I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.
    That's not the real issue. The reasoning is that you don't want a full Internet routing table, but you do want your providers routes, and routes in ASs connected directly to your providers. In this way, you have a trade off between optimal routing and router resources. You would just have a default route or something of that nature to make up for missing routes that were filtered because they exceeded the max AS count.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.