Re: BGP - multihop & ttl security from Carlos G Mendioroz on 2010-09-08 (Ccielab archives 09/2010)

From: Carlos G Mendioroz <tron_at_huapi.ba.ar>
Date: Wed, 08 Sep 2010 11:59:42 -0300

That is indeed odd, and a sure bug for me :)
AFAIK, both ebgp-multihop and ttl security should implicitly disable
the connected check.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html

BTW, the document says that it should be set both sides, but I guess
this is only a reminder of the fact that the added security dependes on
both sides to limit the connection.

The only difference between ttl-security and ebgp-multihop is that the
former can prevent an attack from a farther away origin (and the need
for an additional disable-connected-check config for the time being :)

-Carlos

Bob Sinclair @ 7/9/2010 22:25 -0300 dixit:
> Hi John,
>
>
>
> I found a similar thread:
>
>
>
> http://ieoc.com/forums/p/9065/69025.aspx
>
>
>
> It ends with a "fix" of configuring "disable-connected-check" on both
> sides.
>
>
>
> Does that work for you? Not sure why it should!
>
>
>
> The GTSM RFC (http://www.rfc-editor.org/rfc/rfc3682.txt) has this quote:
> "Any directly connected check MUST be disabled for such peerings." Though I
> am not sure if it is relevant here.
>
> HTH,
>
>
>
>
>
> Bob Sinclair CCIE 10427 CCSI 30427
>
> CIERS2 Online Instructor
>
> <http://www.tinyurl.com/ciers2online> www.tinyurl.com/ciers2online
>
>
>
> From: Edward John [mailto:edwardjohn2020_at_googlemail.com]
> Sent: Tuesday, September 07, 2010 7:39 PM
> To: bob_at_bobsinclair.net
> Cc: Narbik Kocharians; shiran guez; Cisco certification
> Subject: Re: BGP - multihop & ttl security
>
>
>
> Hi Bob,
>
>
>
> below is the reachability info between loop back..
>
>
>
> PE1#show ip route 10.1.1.100
>
> Routing entry for 10.1.1.100/32
>
> Known via "isis", distance 115, metric 10, type level-2
>
> Redistributing via isis
>
> Last update from 172.16.111.2 on Serial2/0.100, 01:38:44 ago
>
> Routing Descriptor Blocks:
>
> * 172.16.111.2, from 10.1.1.100, via Serial2/0.100
>
> Route metric is 10, traffic share count is 1
>
>
>
>
>
> PE1#ping 10.1.1.100 so lo 0 re 10
>
>
>
> Type escape sequence to abort.
>
> Sending 10, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
>
> Packet sent with a source address of 10.1.1.1
>
> !!!!!!!!!!
>
> Success rate is 100 percent (10/10), round-trip min/avg/max = 4/26/64 ms
>
>
>
>
>
> PE1#show ip bgp | include 10.1.1.100
>
> * 0.0.0.0 10.1.1.100 0 100 200 i
>
> * 101.101.101.0/24 10.1.1.100 0 0 100 i
>
> * 172.16.111.0/24 10.1.1.100 0 0 100 i
>
> * 172.16.113.0/24 10.1.1.100 0 100 200 i
>
>
>
> Regards,
>
> John
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 9.0.851 / Virus Database: 271.1.1/3118 - Release Date: 09/07/10
> 14:43:00
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net

Received on Wed Sep 08 2010 - 11:59:42 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART