[178125] in North American Network Operators' Group
Re: Interesting BFD discussion on reddit
daemon@ATHENA.MIT.EDU (Dave Waters)
Tue Feb 17 03:05:26 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <8661b1725e.fsf@valhalla.seastrom.com>
Date: Tue, 17 Feb 2015 07:42:20 +0530
From: Dave Waters <davewaters1970@gmail.com>
To: Rob Seastrom <rs@seastrom.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Because BFD packets can get routed across multiple hops. Unlike EBGP where
you connect to a peer in a different AS and you have a direct connection,
BFD packets can traverse multiple hops to reach the endpoint.
In case of multihop BFD the BFD packets also get re-routed when the
topology changes so you can almost never bet on the TTL value to secure the
protocol.
Dave
On Tue, Feb 17, 2015 at 7:03 AM, Rob Seastrom <rs@seastrom.com> wrote:
>
> Dave Waters <davewaters1970@gmail.com> writes:
>
> >
> http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/
> >
> > Authentication mechanisms defined for IGPs cannot be used to protect BFD
> > since the rate at which packets are processed in BFD is very high.
> >
> > Dave
>
> One might profitably ask why BFD wasn't designed to take advantage of
> high-TTL-shadowing, a la draft-gill-btsh.
>
> -r
>
>
>
