From: Brian Dennis (brian@5g.net)
Date: Fri Jun 06 2003 - 18:57:47 GMT-3
Read section 6.8 from RFC 1771 (A Border Gateway Protocol 4). It will
help answer your question.
(http://www.ietf.org/rfc/rfc1771.txt)
<snip>
6.8 Connection collision detection.
If a pair of BGP speakers try simultaneously to establish a TCP
connection to each other, then two parallel connections between this
pair of speakers might well be formed. We refer to this situation as
connection collision. Clearly, one of these connections must be
closed.
</snip>
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Friday, June 06, 2003 2:40 PM
To: 'ccielab@groupstudy.com'; 'security@groupstudy.com'
Subject: BGP session establishment through Firewall
R1------(in)PIX(out)-----R2
FW does PAT for inside network to outside
Both peers trying to establish BGP via TCP 179.
FW blocks TCP 179 in one way (from outside to inside, because no transl
slot
exist and no access-list conduit)
however neighboring is established via another way session (from inside
to
outside) only.
So, it's enough one way TCP - no necessity to open TCP 179 from outside
to
inside.
Is it right ?? Is there any rule - which session allowed to establish
neighboring
(like, I don't know, from higher BGP identifier to lower or something
like
that) ?
Dmitry
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:54 GMT-3