* frantisek holop <min...@obiit.org> [2009-08-31 20:27]: > hi there, > > i found this interesting article > http://www.renesys.com/blog/2009/08/staring-into-the-gorge.shtml > > i am not a bgp user so i would be grateful if someone > answered how openbsd's bgpd handles the described problem. > thanks,
executive summary: 1) missing/bad input verification leads to session drops not much you can do but being paranoid about every input. we do as much verification as we can. unfortunately the bgp rfcs are often ... bad or ambiguous, and require you to drop sessions. but we do what we can here. 2) the issue is amplified by every router on the planet forwarding the "weird" packet. nothing we can do about that - this is how bgp works. well, see 3), helps a bit. 3) session flap dampening could mitigate the amplification a bit, but nobody implements it nobody? in a small village called openbgpd we've done that from day #1 on, and there is no button to disable it. i actually had the flap dampening in my first prototype that couldn't do anything with update messages but drop them. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
