BGP redundancy and security

From: Geert Nijs (geert.nijs@simac.be)
Date: Thu Jun 24 2004 - 07:56:24 GMT-3

• Next message: Ian Stong: "RE: Class A network"
• Previous message: Yasser Aly: "OT: Measure Bit Error Rate"
• Next in thread: MMoniz: "RE: BGP redundancy and security"
• Maybe reply: MMoniz: "RE: BGP redundancy and security"
• Maybe reply: Godswill Oletu: "Re: BGP redundancy and security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi group,

Suppose we have a redundant internet connection to two ISP providers in the following setup:

   --- ISP A ---- ROUTER A (runs BGP) ---- INTERNAL NETWORK ----- ROUTER B (runs BGP) ---- ISP B

The problem i am having is: how to make sure that i don't have assymetric routing (like i exit via router A,
but come back via router B...). i don't think there really is a 100% accurate solution.. (could use: AS path
prepending, specific routes, MED, communities....but these can all be overruled by the ISPs...)

This assymetric routing complicates my security:

- For anti-spoofing, I want to use the nifty new feature:
                ip verify unicast reverse-path

        --> This does not work in assymetric environments................

        Ok, here i can use an ACL to accomplish the same. (inbound ACL, deny my own internal networks)

- I want to protect myself from SYN attacks. Using
        - reflexive access-lists
                --> Will not work in an assymetric environment............

        - ip tcp intercept
                --> Will not work in an assymetric environment..............

        - i am stuck with the - not so secure - ACL:
                        permit tcp any any established

        What other options do i have here ??

Has anyone experience with this scenario ?

Regards,
Geert
#####################################################################################
This e-mail and any attached files are confidential and may be legally privileged.
If you are not the addressee, any disclosure, reproduction, copying, distribution,
or other dissemination or use of this communication is strictly prohibited.
If you have received this transmission in error please notify Simac immediately
and then delete this e-mail.

Simac has taken all reasonable precautions to avoid virusses in this email.
Simac does not accept liability for damage by virusses, for the correct and complete
transmission of the information, nor for any delay or interruption of the transmission,
nor for damages arising from the use of or reliance on the information.

All e-mail messages addressed to, received or sent by Simac or Simac employees
are deemed to be professional in nature. Accordingly, the sender or recipient of
these messages agrees that they may be read by other Simac employees than the official
recipient or sender in order to ensure the continuity of work-related activities
and allow supervision thereof.
#####################################################################################

• Next message: Ian Stong: "RE: Class A network"
• Previous message: Yasser Aly: "OT: Measure Bit Error Rate"
• Next in thread: MMoniz: "RE: BGP redundancy and security"
• Maybe reply: MMoniz: "RE: BGP redundancy and security"
• Maybe reply: Godswill Oletu: "Re: BGP redundancy and security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:49 GMT-3