BGP/OSPF router security
Ondrej Zajicek
santiago at crfreenet.org
Sun Feb 10 14:52:51 CET 2013
On Sun, Feb 10, 2013 at 10:34:43AM -0200, Henrique de Moraes Holschuh wrote:
> 2. To fix the issue, you must implement QoS site-wide: you must priorize the
> control-plane traffic (i.e. OSPF, BGP, etc) from known-good sources, and
> depriorize (maybe even drop) control-plane traffic from any unknown sources
> on all border routers (including access routers), as well as any traffic
> that should not be in the control-plane traffic class.
Hello
Note that this is just first half of the problem, second half is that
you must have enough CPU power to process control plane traffic. On
Linux, packet forwarding of regular traffic could eat all of your CPU
(because it is not handled by CPU/process scheduler) so control plane
processing (BIRD) does not get enough time slices (even if scheduled
with maximum priority).
I witnessed this issue on some older (2.4.x) Linux version on some
embedded MIPS machines, i am not sure how this is handled in recent
versions on more common hardware.
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130210/8569efe2/attachment-0001.asc>
More information about the Bird-users
mailing list