RE: Pix, static command and nonrandomseq

From: Jens Petter (jenseike@start.no)
Date: Sat Jul 15 2006 - 12:11:06 ART

• Next message: Joshua Lauer: "Re: FW: Delivery Status Notification (Failure)"
• Previous message: Stefan Grey: "RE: Pix, static command and nonrandomseq"
• Maybe in reply to: Stefan Grey: "Pix, static command and nonrandomseq"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, that should not be posible if your pix is function as it should. I
have my selfe tested this many times and remembered that I strugeled my
selfe to get this peering working before I kneew about this.. I am not sure
what you have done other config on your pix, but somhow the offset of the
sequensnumber has been turned off.. Just
think of it... How does hashing work.. Yes, it uses among other sequens
number in the hash calculation. If this is altered, the other peer would
fail that hash for sure.

http://www.cisco.com/warp/public/459/bgpfaq_5816.shtml#twenty-five

-----Original Message-----
From: Stefan Grey [mailto:examplebrain@hotmail.com]
Sent: 15. juli 2006 16:55
To: jenseike@start.no
Cc: ccielab@groupstudy.com
Subject: RE: Pix, static command and nonrandomseq

When I configured IBGP session between two routers with the PIX in between.
I configured static (inside) 172.16.2.2 172.16.2.2 command and didn't add
the nonrandomseq statement. Well there is authenticaiton. I use neighbor
172.16.2.2 key cciesec command.
And the peers authenticate just ok. Is this not normal behaviour. If normal
why than use nonrandmoseq??

>From: "Jens Petter" <jenseike@start.no>
>Reply-To: "Jens Petter" <jenseike@start.no>
>To: "'Stefan Grey'" <examplebrain@hotmail.com>, <ccielab@groupstudy.com>
>Subject: RE: Pix, static command and nonrandomseq
>Date: Sat, 15 Jul 2006 15:52:15 +0200
>
>If you are using MD5 hashing passwork authentication with your bgp peering
>trough the pix, you would need to disable random sequesnsing. The
>hashnumber
>is
>included in the TCP packet header option field. The PIX is by default
>offsetting the
>sequens number by a random value. BGP peers with tcp using the orginal
>sequence
>number to make a 128 bit hash value. If you not disable this the other BGP
>peer would fail that authentication..
>
>For ordernary peering trough pix without authentication you don't need to
>disable this feature, and you should not...
>
>Jens Petter
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Stefan Grey
>Sent: 15. juli 2006 14:21
>To: ccielab@groupstudy.com
>Subject: Pix, static command and nonrandomseq
>
>Why this nonradnodm seq is added at the end of static command when we
>configure bgp through PIX.
>
>I read that it is used for some sequirity. Why it is used with BGP?? (Why
>don't we use it in other cases and why use it in case of using BGP)??
>
>Thanks,
>
>_________________________________________________________________
>Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Joshua Lauer: "Re: FW: Delivery Status Notification (Failure)"
• Previous message: Stefan Grey: "RE: Pix, static command and nonrandomseq"
• Maybe in reply to: Stefan Grey: "Pix, static command and nonrandomseq"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Aug 01 2006 - 07:13:47 ART