BGP, ebgp-multihop and multiple peers
steve at ibctech.ca
Wed Aug 27 07:16:01 CDT 2008
Iljitsch van Beijnum wrote:
> On 27 aug 2008, at 7:58, Paul Wall wrote:
>>> - single loopback/single IP for all peers, or;
>>> - each peer with its own loopback/IP?
>> You should use caution when using loopback IP addresses and building
>> external multihop BGP sessions. By permitting external devices to
>> transmit packets to your loopback(s), you open the door to
>> spoof/denial of service attacks.
> Indeed. I would use two loopbacks, one for internal stuff that is
> unreachable from the outside, another one from another range that allows
> the external sessions.
> But that's more a question of ease of management than of risk, because
> if people can do something bad using one loopback address, it really
> doesn't matter much that additional ones are better protected.
Thanks for the feedback.
The only reason I use loopbacks for eBGP multihop is so that if one of
my physical interfaces goes down taking a transit link with it, these
particular sessions will attempt to re-establish via another path.
Would someone be so kind as to point me in the direction of some
documentation that describes the drawbacks (regarding the mentioned
possibility of DoS/spoof attacks) of externally accessible loopbacks?
I'm drawing a blank on why this is any more risky than having a peering
session (multihop) on a physical interface.
Would it be best if I configured the peering sessions on a physical
More information about the NANOG