[c-nsp] Match BGP in ACL
Raymond, Steven
steven_raymond at eli.net
Thu Jul 29 23:13:06 EDT 2004
> -----Original Message-----
> From: Aaron Weintraub [mailto:aaronw at distracted.org]
> Sent: Thursday, July 29, 2004 7:24 PM
> To: Raymond, Steven
> Subject: Re: [c-nsp] Match BGP in ACL
...
> If this is for ebgp speakers, it's probably better to do
> permit ip instead of messing with tcp, because some
> prople ping the far end of interfaces for reachability
> testing, etc. obviously, it's your router, but sometimes
> NOCs do not understand the ramifications of 'i can't ping,
> but BGP is up'
Don't get me wrong- we are permitting a lot more than just BGP packets. I
simply narrowed down the list for the purposes of shortening this email.
Will permit ICMP. However, just permitting all traffic sourcing from those
specified netblocks is not particularly attractive, and detracts from the
usefulness of using rxacl in the first place.
> is this for:
> 1) your internal ibgp sessions?
Yes.
> 2) your custmer/private peer ebgp /30s?
Customers, yes. Peers, no. Those are all Junipers and can protect
themselves :)
> 3) public peering point larger blocks?
No.
> Careful on the 'network dest' on a receive access-list for
> GRP... I'm not sure this is looked at, because it's
> really packets that the LCs determine need to get sent to the
> GRP... specifying destinations in here may not have
> the desired effect.
Anyone from Cisco here can verify? Does the "destination" part of the ACL
match get considered in a rxacl?
> also, the racl is not looked at all for
> packets sourced from the GRP. the GRP is perfectly
> free to source any packets it wants, all day long.
Agreed, rxacl only examines ingress packets. However if I want to match &
permit all BGP packets, then I must (I think, that's the whole question of
this thread, how to identify bgp packets in an acl) look at destination
port=179 in both directions. In other words, its unknown whether my router
or other router could have initiated the BGP session, so I don't know
whether ingress packets or egress packets will have tcp dest port 179, and
all source ports will be high. So I conclude that we must have an acl line
identifying BGP by matching tcp destination port 179 with for both
combinations of source addresses (this router or the remote routers).
More information about the cisco-nsp
mailing list