North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ebgp-multihop
On Thu, Feb 27, 2003 at 07:29:29PM -0800, David Barak wrote: > > Nooooo! > > eBGP multihop carries with it the implicit possiblity > of session highjacking - in a normal (Multihop=1) Everyone uses md5 signature/bgp password/ authentication keys correct? That means this isn't an issue :) > session, the router would not be able to find a > duplicate neighbor with the specified IP address > directly connected. Obviously, once you're saying > that the neighbor could be anywhere in the world, > what's to prevent me assigning my home Macintosh with > a second IP address and injecting whatever I want into > your network? > > Second, Multihop is really a kludge: eBGP is ideally > run at the edge of a network across a point-to-point > (or shared) medium, and there really shouldn't be > multiple paths to eBGP neighbors. If your link to ISP > X goes away, do you really want to have your router > think that ISP X is still available? Or would you > rather just fail-over to a backup path? > > iBGP is another matter -> there you want 255, b/c you > want the sessions to stay up even in the event of a > backbone link flap. Depends on the size of the flap and router convergence times. - Jared
|