From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 18:05:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D021316A4CF for ; Tue, 20 Apr 2004 18:05:19 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E7843D5E for ; Tue, 20 Apr 2004 18:05:19 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id DB3E05C808; Tue, 20 Apr 2004 16:46:17 -0700 (PDT) Date: Tue, 20 Apr 2004 16:46:17 -0700 From: Bill Fumerola To: Matthew Dillon Message-ID: <20040420234617.GO17862@elvis.mu.org> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com> <200404202045.i3KKjKSb090656@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200404202045.i3KKjKSb090656@apollo.backplane.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.10-MUORG-20040412 i386 X-PGP-Key: 1024D/7F868268 X-PGP-Fingerprint: 5B2D 908E 4C2B F253 DAEB FC01 8436 B70B 7F86 8268 cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2004 01:05:20 -0000 On Tue, Apr 20, 2004 at 01:45:20PM -0700, Matthew Dillon wrote: > On the other hand, BGP can be trivially protected. You don't need > ingress or egress filtering at all (by which I mean IP block filtering), > you simply disable the routing of any packet to or from port 179. > 99.9% of all BGP links are direct connections (meaning that they > terminate at a router rather then pass through one). No packet to > or from port 179 has any business being routed from one network to > another in virtually all BGP link setups so the fix is utterly trivial. most multi-router, multi-link setups use peering with a multihop address of some other router (or route server) to provide equal cost balancing. RFC3682 describes something along the same vein of what you suggest, but handles non-directly connected cases (multihop, tunnels, etc) better. vendor J lets you dynamically build your firewall rules such that you can actually just create a term "allow from all bgp neighbors in the config AND port 179 AND protocol tcp". vendor C would do well to provide something similar. those running freebsd bgp daemons should consider building something similar that feeds ${freebsd_packet_filter} from a ${freebsd_routing_daemon} configuration file. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org