[j-nsp] How does multihop eBGP work?

Thedin Guruge thedin at gmail.com
Fri Jun 24 14:56:41 EDT 2011 

Alex,
It's clever that bgp process is able to establish IPSec tunnel itself.

Something good to be included in the RFC I guess :)

Thanks

Thedin

Sent from Thedin's IPhone 

On 25/06/2011, at 5:43 AM, "Alex" <alex.arseniev at gmail.com> wrote:

> If you ever need multihop eBGP again, and are still worrying about security/hijacking/packet modification/code injection there is a JUNOS feature called "BGP IPSec protection" which establishes transport IPSec SA between 2 Juniper boxes for explicit purpose of encrypting BGP packets.
> You don't need a Service PIC for this to work, it is done in RE
> http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-using-ipsec-to-protect-bgp-traffic.html
> Rgds
> Alex
> 
> ----- Original Message ----- From: "Mike Williams" <mike.williams at comodo.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Friday, June 24, 2011 6:20 PM
> Subject: Re: [j-nsp] How does multihop eBGP work?
> 
> 
>> On Friday 24 June 2011 17:49:28 Patrick Okui wrote:
>>> BGP only populates your idea of the next hop towards your destination.
>>> Once your packets leave your network to the intermediary autonomous
>>> systems they forward the packets based on their idea of the best next hop.
>>> 
>>> Short of some combination of tunnelling &/or encryption there's no real
>>> way for you to control/verify what happened to the packets in transit.
>> 
>> Thanks to all who replied.
>> 
>> I was sort of hoping there would be a magical auto-encapsulation feature that
>> nobody ever spoke about.
>> 
>> We've solved our original problem in a neatly elegant way, without multi-hop
>> ebgp.
>> 
>> -- 
>> Mike Williams
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list