[nsp] BGP sessions drop during DOS and general DOS protections.
Robert E. Seastrom
rs at seastrom.com
Tue Jul 22 10:26:39 EDT 2003
Rob Thomas <robt at cymru.com> writes:
> You can tune
> the BGP timers to increase the tolerance for such things, but this
> is done at the cost of longer outages when other events (e.g. link
> failure, "routine" peer failure) occur. There are always these
> pesky trade-offs. :)
>
> router bgp 65330
> timers bgp <X> <Y>
These are very sharp tools and to be handled with utmost care.
Unless I'm misssing a change to the protocol that happened while I
wasn't looking, long timers should have no effect if not configured
identically on both sides (ie, no negotiation capability), as RFC 1772
sec 4.2 says:
Upon receipt of an OPEN message, a BGP speaker MUST calculate the
value of the Hold Timer by using the smaller of its configured Hold
Time and the Hold Time received in the OPEN message ... An
implementation may reject connections on the basis of the Hold Time.
I have no idea whether Cisco's implementation rigorously enforces
this, builds in slop, agrees to whatever the other side requests, or
does something else; it may be possible to make your connection less
stable instead of more stable (even ignoring the tradeoff Rob
mentioned) by mucking with timers without a firm idea of what's going
on under the hood.
The good news is that one can configure timers on a per-peer basis (at
least on 12.0S which I just checked). The bad news is that people may
actually try to do this. :)
---rob
More information about the cisco-nsp
mailing list