[j-nsp] How does multihop eBGP work?

Alex alex.arseniev at gmail.com
Fri Jun 24 17:35:42 EDT 2011 

I guess I did not make myself clear enough.
This IPSec SA has to be configured like any other IPSec SA, only difference 
is that it is a separate IPSec SA for protecting BGP traffic.
Rgds
Alex

----- Original Message ----- 
From: "Thedin Guruge" <thedin at gmail.com>
To: "Alex" <alex.arseniev at gmail.com>
Cc: "Mike Williams" <mike.williams at comodo.com>; 
<juniper-nsp at puck.nether.net>
Sent: Friday, June 24, 2011 7:56 PM
Subject: Re: [j-nsp] How does multihop eBGP work?


Alex,
It's clever that bgp process is able to establish IPSec tunnel itself.

Something good to be included in the RFC I guess :)

Thanks

Thedin

Sent from Thedin's IPhone

On 25/06/2011, at 5:43 AM, "Alex" <alex.arseniev at gmail.com> wrote:

> If you ever need multihop eBGP again, and are still worrying about 
> security/hijacking/packet modification/code injection there is a JUNOS 
> feature called "BGP IPSec protection" which establishes transport IPSec SA 
> between 2 Juniper boxes for explicit purpose of encrypting BGP packets.
> You don't need a Service PIC for this to work, it is done in RE
> http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-using-ipsec-to-protect-bgp-traffic.html
> Rgds
> Alex
>
> ----- Original Message ----- From: "Mike Williams" 
> <mike.williams at comodo.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Friday, June 24, 2011 6:20 PM
> Subject: Re: [j-nsp] How does multihop eBGP work?
>
>
>> On Friday 24 June 2011 17:49:28 Patrick Okui wrote:
>>> BGP only populates your idea of the next hop towards your destination.
>>> Once your packets leave your network to the intermediary autonomous
>>> systems they forward the packets based on their idea of the best next 
>>> hop.
>>>
>>> Short of some combination of tunnelling &/or encryption there's no real
>>> way for you to control/verify what happened to the packets in transit.
>>
>> Thanks to all who replied.
>>
>> I was sort of hoping there would be a magical auto-encapsulation feature 
>> that
>> nobody ever spoke about.
>>
>> We've solved our original problem in a neatly elegant way, without 
>> multi-hop
>> ebgp.
>>
>> -- 
>> Mike Williams
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list