[c-nsp] Non-default BGP hold / keepalive timers
Bruce Pinsky
bep at whack.org
Fri Nov 18 18:59:39 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon Leinen wrote:
> Bruce Pinsky writes:
>
>>And one could argue that setting a minimum required holdtime could
>>be considered a best practice to avoid someone intentionally or
>>unintentionally causing undue CPU load on your system.
>
>
> Oh gee. The worst-case is that your evil/stupid peer imposes a
> one-second KeepAlive timer upon you. I think that these days, the
> typical full-route feed averages about an UPDATE per second. I
> suppose that even Cisco can optimize KEEPALIVE processing so that the
> router doesn't explode if it has to process as many keepalives as
> updates.
>
> What value would you suggest for the new "minimum holdtime" knob? 60
> would enforce the Cisco default, but would prevent interoperability
> with the Juniper (and BGP-4 RFC) default. Hmm, then maybe one has to
> tolerate 30...
>
> While in general I think it's a good idea to have knobs like this, I
> fail to see the urgency for this particular one. The folks who wrote
> RFC 1771 thought about this and decided to put in a minimum keepalive
> interval:
>
> KEEPALIVE messages MUST NOT be sent more frequently than one per
> second.
>
> This is what was deemed safe in 1994. Have computers, sorry I meant
> router "control planes", gotten that much slower in 11 years?
>
>
>>I also see no such capability in JunOS.
>
>
> Maybe because they don't think it is necessary to defend their routers
> against the "DoS attack" of someone asking them to send a KeepAlive
> message every second.
I suppose in the degenerative case of a single peering session, you are
correct. I tend to deal with large scale SP and enterprise customers where
there could be dozens or even hundreds of peers per device. I would
consider it a bigger risk in those environments.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFDfmrqE1XcgMgrtyYRAkipAJ9arOFSvYLJ2BovvEqdk+AwzlHkYwCgnd4U
BKp0do2X9OQQcz8zug3zkgo=
=1rAb
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list