From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Fri Jun 06 2003 - 20:34:25 GMT-3
Thanks, Brian
Dmitry Volkov
CCIE # 10292
> -----Original Message-----
> From: Brian Dennis [mailto:brian@5g.net]
> Sent: Friday, June 06, 2003 5:58 PM
> To: 'Volkov, Dmitry (IDS Canada)'; ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: RE: BGP session establishment through Firewall
>
>
> Read section 6.8 from RFC 1771 (A Border Gateway Protocol 4). It will
> help answer your question.
>
> (http://www.ietf.org/rfc/rfc1771.txt)
>
> <snip>
> 6.8 Connection collision detection.
>
> If a pair of BGP speakers try simultaneously to establish a TCP
> connection to each other, then two parallel connections
> between this
> pair of speakers might well be formed. We refer to this
> situation as
> connection collision. Clearly, one of these connections must be
> closed.
> </snip>
>
> Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Friday, June 06, 2003 2:40 PM
> To: 'ccielab@groupstudy.com'; 'security@groupstudy.com'
> Subject: BGP session establishment through Firewall
>
> R1------(in)PIX(out)-----R2
> FW does PAT for inside network to outside
>
> Both peers trying to establish BGP via TCP 179.
> FW blocks TCP 179 in one way (from outside to inside, because
> no transl
> slot
> exist and no access-list conduit)
> however neighboring is established via another way session
> (from inside
> to
> outside) only.
> So, it's enough one way TCP - no necessity to open TCP 179
> from outside
> to
> inside.
> Is it right ?? Is there any rule - which session allowed to establish
> neighboring
> (like, I don't know, from higher BGP identifier to lower or something
> like
> that) ?
>
>
> Dmitry
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:54 GMT-3