[56195] in North American Network Operators' Group
Re: ebgp-multihop
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Feb 27 22:35:56 2003
Date: Thu, 27 Feb 2003 22:34:07 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: David Barak <thegameiam@yahoo.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>,
Tim Rand <randt@ohsu.edu>, nanog@merit.edu
In-Reply-To: <20030228032929.79408.qmail@web14901.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Feb 27, 2003 at 07:29:29PM -0800, David Barak wrote:
>
> Nooooo!
>
> eBGP multihop carries with it the implicit possiblity
> of session highjacking - in a normal (Multihop=1)
Everyone uses md5 signature/bgp password/
authentication keys correct?
That means this isn't an issue :)
> session, the router would not be able to find a
> duplicate neighbor with the specified IP address
> directly connected. Obviously, once you're saying
> that the neighbor could be anywhere in the world,
> what's to prevent me assigning my home Macintosh with
> a second IP address and injecting whatever I want into
> your network?
>
> Second, Multihop is really a kludge: eBGP is ideally
> run at the edge of a network across a point-to-point
> (or shared) medium, and there really shouldn't be
> multiple paths to eBGP neighbors. If your link to ISP
> X goes away, do you really want to have your router
> think that ISP X is still available? Or would you
> rather just fail-over to a backup path?
>
> iBGP is another matter -> there you want 255, b/c you
> want the sessions to stay up even in the event of a
> backbone link flap.
Depends on the size of the flap and router
convergence times.
- Jared
