Because BFD packets can get routed across multiple hops. Unlike EBGP where you connect to a peer in a different AS and you have a direct connection, BFD packets can traverse multiple hops to reach the endpoint.
Then what's this "multihop" knob I have available in my BGP config? Again, as Rob pointed out, "can" vs. "should" is a good consideration here, but unless I'm missing something both EBGP and BFD "can" do multihop...so...?
-- Hugo On Tue 2015-Feb-17 07:42:20 +0530, Dave Waters <davewaters1...@gmail.com> wrote:
Because BFD packets can get routed across multiple hops. Unlike EBGP where you connect to a peer in a different AS and you have a direct connection, BFD packets can traverse multiple hops to reach the endpoint. In case of multihop BFD the BFD packets also get re-routed when the topology changes so you can almost never bet on the TTL value to secure the protocol. Dave On Tue, Feb 17, 2015 at 7:03 AM, Rob Seastrom <r...@seastrom.com> wrote:Dave Waters <davewaters1...@gmail.com> writes: > http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/ > > Authentication mechanisms defined for IGPs cannot be used to protect BFD > since the rate at which packets are processed in BFD is very high. > > Dave One might profitably ask why BFD wasn't designed to take advantage of high-TTL-shadowing, a la draft-gill-btsh. -r
signature.asc
Description: Digital signature