BGP Secuurity with bgp maxas-limit -viable?

Don't know whether or not I'm leaving the scope of BGP/CCIP... (Not that I care really)

I started looking into BGP security, MD5 security is just a gimme, TTL security I can understand but I found this blog post (from Cisco no less) about BGP security via bgp maxas-limit limiting the number of AS'es that can be in AS Path.

My question is how useful is this as a security tool, the second link I found poses this more as a resource management tool. (Something help with memory management.)

The first article says this can prevent route hijacking, but since the bgp maxas-limit is global and effects every route I can't see that being scalable.

Cisco Blog » Blog Archive » Securing BGP
Also found this one Protecting Border Gateway Protocol for the Enterprise - Cisco Systems

Am I missing something with bgp maxas-limit??
My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS

Comments

  • jovan88jovan88 Posts: 393Member
    I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.
  • DPGDPG Posts: 780Member
    jovan88 wrote: »
    I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.

    This is true for the most part but I have seen some idiots prepend their AS dozens of times.

    Look at this:

    sh ip bgp paths | i 56199
    0x5151DD58 3359 1 57 2914 2914 4739 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 i

    icon_twisted.gif

  • SteveO86SteveO86 Posts: 1,423Member
    Thanks for the reply guys, it confirms what I was thinking.

    I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • HeeroHeero Posts: 486Member
    SteveO86 wrote: »
    Thanks for the reply guys, it confirms what I was thinking.

    I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.
    That's not the real issue. The reasoning is that you don't want a full Internet routing table, but you do want your providers routes, and routes in ASs connected directly to your providers. In this way, you have a trade off between optimal routing and router resources. You would just have a default route or something of that nature to make up for missing routes that were filtered because they exceeded the max AS count.
Sign In or Register to comment.