Home page logo
/

nanog logo nanog mailing list archives

Re: ebgp-multihop
From: Jared Mauch <jared () puck Nether net>
Date: Thu, 27 Feb 2003 22:34:07 -0500


On Thu, Feb 27, 2003 at 07:29:29PM -0800, David Barak wrote:

Nooooo!

eBGP multihop carries with it the implicit possiblity
of session highjacking - in a normal (Multihop=1)

        Everyone uses md5 signature/bgp password/
authentication keys correct?

        That means this isn't an issue :)

session, the router would not be able to find a
duplicate neighbor with the specified IP address
directly connected.  Obviously, once you're saying
that the neighbor could be anywhere in the world,
what's to prevent me assigning my home Macintosh with
a second IP address and injecting whatever I want into
your network?

Second, Multihop is really a kludge: eBGP is ideally
run at the edge of a network across a point-to-point
(or shared) medium, and there really shouldn't be
multiple paths to eBGP neighbors.  If your link to ISP
X goes away, do you really want to have your router
think that ISP X is still available?  Or would you
rather just fail-over to a backup path?

iBGP is another matter -> there you want 255, b/c you
want the sessions to stay up even in the event of a
backbone link flap.

        Depends on the size of the flap and router
convergence times.

        - Jared


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault