[j-nsp] JunOS violating draft-katz-ward-bfd-v4v6-1hop for BFD?

Richard A Steenbergen ras at e-gerbil.net
Sun Apr 18 08:25:10 EDT 2004


On Sat, Apr 17, 2004 at 06:32:47PM +0200, Daniel Roesen wrote:
> 
>    In the case of IPv4, BFD Control packets MUST be transmitted in UDP
>    packets with destination port 3784, within an IPv4 packet.  The
>    source port MUST be in the range 49152 through 65535. [...]
> 
> 
> Yet, I'm seing that BFD between two Junipers use 3784 as source port,
> not something in range 49152-65535. Didn't check for 3785:3785 yet.

Combining subjects for a moment...

net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 5000

Might some more ephemeral ports be in order, to reduce the ease of RST'ing
BGP sessions? By my math, 2^32 sequence in 16k window chunks, where you
already know one side is 179, and the other side (if originated by a jnpr)
only has 3976 possible combinations, * 2 for figuring out which side made
the connection and which accepted, is 2084569088 packets for an exhaustive
search of every combination (around 58 hours at 10kpps). While this seems
like it is still too large to be damaging on its own, combine it with some
other technique for sequence number prediction and it just seems like an
unnecessarily low and risky port range.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list