From owner-freebsd-security@FreeBSD.ORG  Tue Apr 20 13:45:22 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3007D16A4DC
	for <freebsd-security@freebsd.org>;
	Tue, 20 Apr 2004 13:45:21 -0700 (PDT)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AC13A43D48
	for <freebsd-security@freebsd.org>;
	Tue, 20 Apr 2004 13:45:21 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	i3KKjL7Z090657;	Tue, 20 Apr 2004 13:45:21 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.9p2/8.12.9/Submit) id i3KKjKSb090656;
	Tue, 20 Apr 2004 13:45:20 -0700 (PDT)
	(envelope-from dillon)
Date: Tue, 20 Apr 2004 13:45:20 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200404202045.i3KKjKSb090656@apollo.backplane.com>
To: Charles Swiger <cswiger@mac.com>
References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2>
	<593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com>
cc: freebsd-security@freebsd.org
Subject: Re: TCP RST attack
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2004 20:45:22 -0000

    Well, the advisory certainly exaggerates some, but I think there is 
    a real issue with BGP and I have to respectfully disagree with DES.
    Route flapping cannot be solved by reducing hysteresis, at least not
    unless you want your backbone provider to cut you off!  Flapping is
    a major problem... less of one now then when I was doing BEST a decade
    ago, but still very serious.  When a BGP session flaps it has to 
    resynchronize, and resynchronization can take a significant period
    of time, bandwidth, and router resources to accomplish.  You can't
    just reconnect and pick up where you left off (if you could it would
    be a non-problem).

    On the other hand, BGP can be trivially protected.  You don't need
    ingress or egress filtering at all (by which I mean IP block filtering),
    you simply disable the routing of any packet to or from port 179.
    99.9% of all BGP links are direct connections (meaning that they
    terminate at a router rather then pass through one).  No packet to
    or from port 179 has any business being routed from one network to
    another in virtually all BGP link setups so the fix is utterly trivial.

						-Matt