BGP/OSPF router security

Henrique de Moraes Holschuh hmh at hmh.eng.br
Sun Feb 10 13:34:43 CET 2013


On Sun, 10 Feb 2013, James Howlett wrote:
> > There are some guidelines (still WIP) here: 
> > https://wiki.freebsd.org/NetworkPerformanceTuning
> > 
> > Btw, what amount of traffic (PPS) we are talking about?
> > 
> 
> 200k pps . The problem was, that the router started to drop the OSFP related comunication, and all my network went off-line.

1. I suggest you read http://tools.ietf.org/html/rfc6192 for some ideas.

2. To fix the issue, you must implement QoS site-wide: you must priorize the
control-plane traffic (i.e. OSPF, BGP, etc) from known-good sources, and
depriorize (maybe even drop) control-plane traffic from any unknown sources
on all border routers (including access routers), as well as any traffic
that should not be in the control-plane traffic class.

Use the highest priority class for control-plane traffic.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



More information about the Bird-users mailing list