Re: BGP, ebgp-multihop and multiple peers

[Steve Bertrand <steve () ibctech ca>]

Iljitsch van Beijnum wrote:
> On 27 aug 2008, at 7:58, Paul Wall wrote:
>
> > > - single loopback/single IP for all peers, or;
> > > - each peer with its own loopback/IP?
>
> > You should use caution when using loopback IP addresses and building
> > external multihop BGP sessions. By permitting external devices to
> > transmit packets to your loopback(s), you open the door to
> > spoof/denial of service attacks.
>
> [...]
>
> Indeed. I would use two loopbacks, one for internal stuff that is 
> unreachable from the outside, another one from another range that allows 
> the external sessions.
>
> But that's more a question of ease of management than of risk, because 
> if people can do something bad using one loopback address, it really 
> doesn't matter much that additional ones are better protected.

Thanks for the feedback.

The only reason I use loopbacks for eBGP multihop is so that if one of 
my physical interfaces goes down taking a transit link with it, these 
particular sessions will attempt to re-establish via another path.

Would someone be so kind as to point me in the direction of some 
documentation that describes the drawbacks (regarding the mentioned 
possibility of DoS/spoof attacks) of externally accessible loopbacks?

I'm drawing a blank on why this is any more risky than having a peering 
session (multihop) on a physical interface.

Would it be best if I configured the peering sessions on a physical 
interface instead?

Steve