From: Jongsoo.Kim@Intelsat.com
Date: Mon Aug 09 2004 - 20:06:20 GMT-3
James
Are you saying we can't change next-hop attribute via route-map without
ebgp-multihop configured?
J
-----Original Message-----
From: James [mailto:james@towardex.com]
Sent: Sunday, 08 August, 2004 1:53 PM
To: Kim, Jongsoo
Cc: ccielab@groupstudy.com
Subject: Re: RE: BGP Update Source
On Sun, Aug 08, 2004 at 12:26:16PM -0400, jongsoo.kim@intelsat.com wrote:
> Just my two cents on why EBGP peering w/ multihop, update source is not
recommended.
>
> In real ISP life, EBGP session with multihop = 255 and update source
loopback can be really "dangerous" config as this can create all kind of
problems( black hole, BGP session never being down when it supposed to be)
specially if the customer's( the other bgp peer) loopback is reachable
without bringing up the physical connection ( so customer has multi-homed
and loopback address is reachable via the other ISP link as well).
Depends on customer's needs and what customer knows what they are doing.
I've seen customers that have no idea what in the name of $$%#@ they are
doing
with BGP like you said, yes they should be very careful indeed :)
But ebgp-multihop isn't that evil as its been marketted as such by a few
ISP's
(not saying its you, don't get me wrong here!). There are several reason to
use it and there are several reasons to not use it.
We (my company) use ebgp-multihop 2 with our upstream on a single gig
circuit
that's not even load balanced like what Brian suggested earlier. The actual
peering goes over a single-hop GE media, no routers, no anything in between.
But why do we do that? Because ebgp-multihop enables the neighbor to set
arbitrary next-hop without having to have the next-hop fall into the
connected
/30 network for path validation. This means if I am under a DDoS attack that
is impacting my network, I can simply advertise a /32 with next-hop set to
192.0.2.2 and set community to no-export, and my upstream's core routers
begin
blackholeling that prefix, saving me from the burden of entire DDoS :) Yes,
some of you may heard of this by using communities, but yea you don't
exactly
need communities to achieve this if you convince your upstream to create
permissive distribute-list (while ensuring your /32 announcements get
filtered
from propagating to outside) and multihop session, and ensuring they
blackhole
IANA-TESTNET on their core infrastructure (thankfully our upstream does).
All in all, when being applied to the world of networking, knowing the
limits
of any technologies you use, whether it be BGP, OSPF, specific vendor of
router
you use, or layer3 switch, whatever, is the first step in operating an
effective near trouble-free network backbone infrastructure. :)
-J
-- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net############################################################
Building on 40 Years of Leadership - As a global communications leader with 40 years of experience, Intelsat helps service providers, broadcasters, corporations and governments deliver information and entertainment anywhere in the world, instantly, securely and reliably.
############################################################ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:36 GMT-3