Re: [j-nsp] How does multihop eBGP work?

Fri, 24 Jun 2011 14:43:42 -0700 

I guess I did not make myself clear enough.
This IPSec SA has to be configured like any other IPSec SA, only difference is that it is a separate IPSec SA for protecting BGP traffic. 
Rgds
Alex
----- Original Message ----- From: "Thedin Guruge" <the...@gmail.com> 
To: "Alex" <alex.arsen...@gmail.com>
Cc: "Mike Williams" <mike.willi...@comodo.com>; <juniper-nsp@puck.nether.net> 
Sent: Friday, June 24, 2011 7:56 PM
Subject: Re: [j-nsp] How does multihop eBGP work?


Alex,
It's clever that bgp process is able to establish IPSec tunnel itself.

Something good to be included in the RFC I guess :)

Thanks

Thedin

Sent from Thedin's IPhone

On 25/06/2011, at 5:43 AM, "Alex" <alex.arsen...@gmail.com> wrote:
If you ever need multihop eBGP again, and are still worrying about security/hijacking/packet modification/code injection there is a JUNOS feature called "BGP IPSec protection" which establishes transport IPSec SA between 2 Juniper boxes for explicit purpose of encrypting BGP packets. 
You don't need a Service PIC for this to work, it is done in RE
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-routing/routing-using-ipsec-to-protect-bgp-traffic.html
Rgds
Alex
----- Original Message ----- From: "Mike Williams" <mike.willi...@comodo.com> 
To: <juniper-nsp@puck.nether.net>
Sent: Friday, June 24, 2011 6:20 PM
Subject: Re: [j-nsp] How does multihop eBGP work?



On Friday 24 June 2011 17:49:28 Patrick Okui wrote:

BGP only populates your idea of the next hop towards your destination.
Once your packets leave your network to the intermediary autonomous
systems they forward the packets based on their idea of the best next hop. 

Short of some combination of tunnelling &/or encryption there's no real
way for you to control/verify what happened to the packets in transit.


Thanks to all who replied.
I was sort of hoping there would be a magical auto-encapsulation feature that 
nobody ever spoke about.
We've solved our original problem in a neatly elegant way, without multi-hop 
ebgp.

--
Mike Williams
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to