BGP session reset in one packet [where a looking glass or route server is available]

David Luyer david at luyer.net
Wed Apr 21 08:38:44 UTC 2004


It's not the general case, however...

Some looking glass CGIs (in some cases, into production routers)
permit "sh ip bgp nei <x>" -- try typing "sum" and then "nei x.x.x.x"
into the "show ip bgp" box on a looking glass CGI, or using the
command on a route server with CLI access.

This gives you:

Local host: [...], Local port: 179
Foreign host: [...], Foreign port: 29626
[...]
iss:  770717974  snduna:  770746699  sndnxt:  770746699     sndwnd:  15472
irs:  431124262  rcvnxt:  440258849  rcvwnd:      15433  delrcvwnd:    951
[...]

A traceroute will give you the information you need to estimate
the TTL, and from there it's a single packet to reset the BGP
session.  If the looking glass is into a dedicated router, this
achieves little more than causing the other routers to have to
continually re-send their tables to the looking-glass; but if
it's into a production router, well, it's a little more significant.

And that _is_ sufficient to do a BGP session reset in one packet
as the router is happily handing out sequence numbers, source
and destination IP, source and destination port.

Summary: if you don't want to do TCP MD5 auth on your BGP sessions,
at least restrict "show tcp" and "show ip bgp nei" in all looking
glasses and make sure your peers are not permitting them either
in their directly attached routers.

David.




More information about the NANOG mailing list