[107127] in North American Network Operators' Group
Re: BGP, ebgp-multihop and multiple peers
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Aug 27 03:48:23 2008
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Paul Wall <pauldotwall@gmail.com>
In-Reply-To: <620fd17c0808262258i5208641cjd4808091795a46e1@mail.gmail.com>
Date: Wed, 27 Aug 2008 09:48:01 +0200
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On 27 aug 2008, at 7:58, Paul Wall wrote:
>> - single loopback/single IP for all peers, or;
>> - each peer with its own loopback/IP?
> You should use caution when using loopback IP addresses and building
> external multihop BGP sessions. By permitting external devices to
> transmit packets to your loopback(s), you open the door to
> spoof/denial of service attacks.
[...]
Indeed. I would use two loopbacks, one for internal stuff that is
unreachable from the outside, another one from another range that
allows the external sessions.
But that's more a question of ease of management than of risk, because
if people can do something bad using one loopback address, it really
doesn't matter much that additional ones are better protected.
