Home page logo

nanog logo nanog mailing list archives

Re: ebgp-multihop
From: David Barak <thegameiam () yahoo com>
Date: Thu, 27 Feb 2003 19:29:29 -0800 (PST)


eBGP multihop carries with it the implicit possiblity
of session highjacking - in a normal (Multihop=1)
session, the router would not be able to find a
duplicate neighbor with the specified IP address
directly connected.  Obviously, once you're saying
that the neighbor could be anywhere in the world,
what's to prevent me assigning my home Macintosh with
a second IP address and injecting whatever I want into
your network?

Second, Multihop is really a kludge: eBGP is ideally
run at the edge of a network across a point-to-point
(or shared) medium, and there really shouldn't be
multiple paths to eBGP neighbors.  If your link to ISP
X goes away, do you really want to have your router
think that ISP X is still available?  Or would you
rather just fail-over to a backup path?

iBGP is another matter -> there you want 255, b/c you
want the sessions to stay up even in the event of a
backbone link flap.

--- Iljitsch van Beijnum <iljitsch () muada com> wrote:

On Thu, 27 Feb 2003, Tim Rand wrote:

I have searched the archives but have not found an
answer to my question - is there any danger in using
excessively high TTL values with ebgp-multihop?   
For example, neighbor x.x.x.x ebgp-multihop 255   - 
255 is generally much higher than needed, but is
there any risk/danger ??    Thanks in advance.   -

If you use this for a regular BGP feed (one where
you actually send
traffic as per the routes received) you can get
interesting results if
your direct connection to the peer goes down. Your
BGP session will
probably survive this and simply continue to run
over any other
connection(s) to the net you have. You can of course
make sure this
doesn't happen by creative application of static
routes with different
administrative distances (or even a filter).

David Barak
-fully RFC 1925 compliant-

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]