redistribute bgp considered harmful
Stephen J. Wilcox
steve at telecomplete.co.uk
Mon Oct 7 12:06:36 UTC 2002
I tend to favour allowing features rather than restricting them, if paranoia is
needed then perhaps a confirm prompt?
Dont forget tho BGP is used for things other than Internet routing eg VPN, VRF
and in those cases I can imagine such redistributions being beneficial.
Steve
On Mon, 7 Oct 2002, David Luyer wrote:
>
> Iljitsch van Beijnum <iljitsch at muada.com> wrote:
>
> > But not allowing BGP -> IGP -> BGP might be a good one. On the other hand,
> > someone who is determined to screw up could do BGP -> IGP on one router
> > and IGP -> BGP on another.
>
> I've seen that done. And usefully. The case involved an AGS+ (BGP
> speaking) and IGS (with too little memory to run anything later than
> IOS 8.3, but after the PALs required to do memory upgrades on IGSs
> had been discontinued by Cisco) and a peering across a serial link,
> but could just as easily happen with today's routers -- eg, two
> small ISPs peering over a Cisco 827.
>
> Any feature can be useful, but you just have to be very careful and
> very aware of what you're doing and why it is evil. If you can
> carefully select the routes via, say, nexthop, filter them correctly
> and know what ASN to insert them into, then you can use an IGP to
> transport routes between two ASNs (or more, if you match various
> nexthops and use them to insert into different ASNs).
>
> Imagine ISP A and ISP B are BGP-speakers with only a small amount of
> peering traffic, and an asymmetric flow (say ISP B is a small, modem
> customer only ISP, and ISP A have a bit of content and a slightly
> larger customer base).
>
> Now say ISP A and ISP B peer for some reason, and ISP A uses BGP as
> their only interstate routing protocol, so they need the routes to
> appear in their BGP table.
>
> ISP B could be using a Cisco 827 (RIPv2 only) to connect to ISP A's
> ADSL product via L2TP.
>
> ISP A could be putting ISP B into a VRF and then forwarding them
> off to a small router (eg, an old 1000-series, with an IOS before
> BGP was removed from them[1]), which they peer via BGP back to their
> regular network (having configured it in ISP B's ASN), and insert
> the routes (after filtering) from RIPv2 into BGP.
>
> And before you say no ISP would be crazy enough to peer with a
> 1003 and 827 in the peering path, I refer you to
> http://peer.sensation.net.au/ (a NAP using 33k and 56k modems,
> or 'NAPette' as the organizer calls it).
>
> Of course, this is probably a good argument -not- to support IGP
> into BGP distribution, because someone might use it for something
> like the above! :-)
>
> David.
>
> [1] example router thrown in because it lines up so well with
> the dodgyness of the example usage :-) besides, 1003s look
> cool [substitute any other 1000-series.
>
>
More information about the NANOG
mailing list