BGP Secuurity with bgp maxas-limit -viable?
SteveO86
Member Posts: 1,423
Don't know whether or not I'm leaving the scope of BGP/CCIP... (Not that I care really)
I started looking into BGP security, MD5 security is just a gimme, TTL security I can understand but I found this blog post (from Cisco no less) about BGP security via bgp maxas-limit limiting the number of AS'es that can be in AS Path.
My question is how useful is this as a security tool, the second link I found poses this more as a resource management tool. (Something help with memory management.)
The first article says this can prevent route hijacking, but since the bgp maxas-limit is global and effects every route I can't see that being scalable.
Cisco Blog » Blog Archive » Securing BGP
Also found this one Protecting Border Gateway Protocol for the Enterprise - Cisco Systems
Am I missing something with bgp maxas-limit??
I started looking into BGP security, MD5 security is just a gimme, TTL security I can understand but I found this blog post (from Cisco no less) about BGP security via bgp maxas-limit limiting the number of AS'es that can be in AS Path.
My question is how useful is this as a security tool, the second link I found poses this more as a resource management tool. (Something help with memory management.)
The first article says this can prevent route hijacking, but since the bgp maxas-limit is global and effects every route I can't see that being scalable.
Cisco Blog » Blog Archive » Securing BGP
Also found this one Protecting Border Gateway Protocol for the Enterprise - Cisco Systems
Am I missing something with bgp maxas-limit??
My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
Comments
-
jovan88
Member Posts: 393
I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis. -
Ryan82
Member Posts: 428
A couple documents to read that will explain why:
Longer is not always better - Renesys Blog
Reckless Driving on the Internet - Renesys Blog -
DPG
Member Posts: 780 ■■■■■□□□□□
I think that command is designed to protect the resources of the router. Anyone who works with BGP in a large scale environment can correct me, but typically you won't see a rediculously long AS path, like over 100 for example. So you probably won't need to do it on a per neighbor basis.
This is true for the most part but I have seen some idiots prepend their AS dozens of times.
Look at this:
sh ip bgp paths | i 56199
0x5151DD58 3359 1 57 2914 2914 4739 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 56199 i
-
SteveO86
Member Posts: 1,423
Thanks for the reply guys, it confirms what I was thinking.
I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Heero
Member Posts: 486
That's not the real issue. The reasoning is that you don't want a full Internet routing table, but you do want your providers routes, and routes in ASs connected directly to your providers. In this way, you have a trade off between optimal routing and router resources. You would just have a default route or something of that nature to make up for missing routes that were filtered because they exceeded the max AS count.Thanks for the reply guys, it confirms what I was thinking.
I guess if you have a bunch of idiots pre-pending their path over a dozen times that would hinder resources a bit.