BGP peer passive mode

Discussion in 'Cisco' started by Ivan Ostreš, Nov 29, 2004.

  1. Ivan Ostreš

    Ivan Ostreš Guest

    Hello NG,

    I have an interesting problem... I have two EBGP peers and firewall
    between them:

    RTRA -------- ISA ---------- RTRB ----- ISP

    the thing is that I do not want to allow RTRB to initiate a BGP session
    to RTRA since that is blocked on the ISA "firewall" and makes annoying
    messages.

    I've tried approach where I send all packes from RTRB with SYN flag to
    null0 interface (policy routing) but it is not a really clean way of
    solving this. Is there some other approach to make BGP peer "passive" on
    initiating peering?


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Nov 29, 2004
    #1
    1. Advertising

  2. On 29.11.2004 22:19 Ivan Ostreš wrote


    > Hello NG,
    >
    > I have an interesting problem... I have two EBGP peers and firewall
    > between them:
    >
    > RTRA -------- ISA ---------- RTRB ----- ISP
    >
    > the thing is that I do not want to allow RTRB to initiate a BGP session
    > to RTRA since that is blocked on the ISA "firewall" and makes annoying
    > messages.
    >
    > I've tried approach where I send all packes from RTRB with SYN flag to
    > null0 interface (policy routing) but it is not a really clean way of
    > solving this. Is there some other approach to make BGP peer "passive" on
    > initiating peering?
    >


    IMHO it is broken by design to have a firewall in between two EBGP peers.


    But of course ymmv, Arnold
    --
    Arnold Nipper, AN45
     
    Arnold Nipper, Nov 29, 2004
    #2
    1. Advertising

  3. Ivan Ostreš

    Hansang Bae Guest

    > On 29.11.2004 22:19 Ivan Ostre¨ wrote
    > > I have an interesting problem... I have two EBGP peers and firewall
    > > between them:
    > >
    > > RTRA -------- ISA ---------- RTRB ----- ISP
    > >
    > > the thing is that I do not want to allow RTRB to initiate a BGP session
    > > to RTRA since that is blocked on the ISA "firewall" and makes annoying
    > > messages.


    Why not just open it for tcp port 179?


    > > I've tried approach where I send all packes from RTRB with SYN flag to
    > > null0 interface (policy routing) but it is not a really clean way of
    > > solving this. Is there some other approach to make BGP peer "passive" on
    > > initiating peering?


    I doubt it since it's TCP based.


    In article <cog41i$gnq$>, says...
    > IMHO it is broken by design to have a firewall in between two EBGP peers.
    > But of course ymmv, Arnold



    Why would you say that? It's an easy way of detecting failures outside
    the FW.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Nov 30, 2004
    #3
  4. Ivan Ostreš

    Ivan Ostreš Guest

    In article <>,
    says...
    > Why not just open it for tcp port 179?
    >


    Hi Hansang,

    I'm sure that you know security "nothing can be initiated from the
    outside" guys, so there's a problem. It really works ok when inside peer
    establishes connection first. The only problem is that outside peer is
    trying to establish peering before the inside one... (it's not really a
    problem - it's just annoying).

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Nov 30, 2004
    #4
  5. Ivan Ostreš

    Ivan Ostreš Guest

    In article <cog41i$gnq$>, says...
    > IMHO it is broken by design to have a firewall in between two EBGP peers.
    >


    Well, everyone can have his own oppinion :). It's really a good design
    since the company has four ways out (like the one I've described) so
    using BGP is the only normal way of knowing that outside router does not
    have connection to the ISP any more and that all traffic should be
    rerouted.

    How would you approach that design problem, Arnold?

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Nov 30, 2004
    #5
  6. Ivan Ostreš

    Ben Guest

    Ivan Ostreš wrote:
    > In article <cog41i$gnq$>, says...
    >
    >>IMHO it is broken by design to have a firewall in between two EBGP peers.
    >>

    >
    >
    > Well, everyone can have his own oppinion :). It's really a good design
    > since the company has four ways out (like the one I've described) so
    > using BGP is the only normal way of knowing that outside router does not
    > have connection to the ISP any more and that all traffic should be
    > rerouted.
    >
    > How would you approach that design problem, Arnold?
    >


    I believe the initiating router uses port 179, but a random source port.
    So simply block destination port 179 on the inside interface.
     
    Ben, Nov 30, 2004
    #6
  7. In article <cog41i$gnq$>,
    Arnold Nipper <> wrote:
    >On 29.11.2004 22:19 Ivan Ostreš wrote
    >>
    >> I have an interesting problem... I have two EBGP peers and firewall
    >> between them:
    >>
    >> RTRA -------- ISA ---------- RTRB ----- ISP
    >>
    >> the thing is that I do not want to allow RTRB to initiate a BGP session
    >> to RTRA since that is blocked on the ISA "firewall" and makes annoying
    >> messages.
    >>
    >> I've tried approach where I send all packes from RTRB with SYN flag to
    >> null0 interface (policy routing) but it is not a really clean way of
    >> solving this. Is there some other approach to make BGP peer "passive" on
    >> initiating peering?
    >>

    >
    >IMHO it is broken by design to have a firewall in between two EBGP peers.
    >
    >Arnold Nipper, AN45


    I happen to disagree with Arnold. My opinion is that BGP is the only
    routing protocol which is acceptable to use through a firewall. I
    have posted them multiple times before, so I won't belabor them
    here unless asked. As to whether a firewall is needed between
    any two routers, regardless of routing protocol, is a question of
    budget and security policy, not rightness or wrongness (although
    supporting a dynamic routing protocol other than BGP through a
    firewall usually means the security policy is so weak the firewall
    is a waste of money).

    On the other hand, I think Ivan has a different problem. The firewall
    should only complain about BGP connection attempts from RTRB when RTRA
    is dead. Normal operation of BGP is for both routers to attempt to
    connect with the configured peer, but as soon as one succeeds, the other
    stops trying and the only time you should see "intrusion alerts" from
    the firewall is when there is a problem with BGP and the peers are not
    correctly communicating.

    If you are actually doing EBGP between the two routers rather than
    IBGP, then you probably forgot to enable multihop. Remember
    that the firewall counts as a router from the viewpoint of TTL.

    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Nov 30, 2004
    #7
  8. Ivan Ostreš

    Hansang Bae Guest

    In article <>,
    says...
    > I'm sure that you know security "nothing can be initiated from the
    > outside" guys, so there's a problem. It really works ok when inside peer
    > establishes connection first. The only problem is that outside peer is
    > trying to establish peering before the inside one... (it's not really a
    > problem - it's just annoying).


    I see. In that case, I think you're stuck. Same folks who break PMTU-D
    by blocking *all* forms of ICMP! :)

    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Dec 1, 2004
    #8
  9. Ivan Ostreš

    Ivan Ostreš Guest

    In article <coiu5j$toi$>,
    says...

    Hello Vincent,

    > On the other hand, I think Ivan has a different problem. The firewall
    > should only complain about BGP connection attempts from RTRB when RTRA
    > is dead. Normal operation of BGP is for both routers to attempt to
    > connect with the configured peer, but as soon as one succeeds, the other
    > stops trying and the only time you should see "intrusion alerts" from
    > the firewall is when there is a problem with BGP and the peers are not
    > correctly communicating.
    >


    Firewall IS complaining only before RTRA establishes its connection to
    RTRB. When peering is established, there's no problem messages (so it is
    true that RTRB stops sending TCP SYN packets when it "sees" that
    connection is up).


    > If you are actually doing EBGP between the two routers rather than
    > IBGP, then you probably forgot to enable multihop. Remember
    > that the firewall counts as a router from the viewpoint of TTL.
    >
    >


    Hm.. I probably wrote OP pretty bad. Whole thing IS working ok (I didn't
    forget multihop). Security guys are just complaining about messages when
    there's no established peering between routers (and RTRB tries to create
    one). So, my goal was to fix that RTRB never tries to initiate peering
    by itself and just waits for RTRA to make a connection.

    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostreš, Dec 1, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug A Moller

    Need help with peer to peer no hub network

    Doug A Moller, Jun 23, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    5,821
  2. =?Utf-8?B?QmlsbEM=?=

    peer to peer linking and sharing

    =?Utf-8?B?QmlsbEM=?=, Aug 23, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    732
    =?Utf-8?B?QmlsbEM=?=
    Aug 23, 2004
  3. Patrick Page

    Peer to peer wifi setup

    Patrick Page, Sep 12, 2004, in forum: Wireless Networking
    Replies:
    14
    Views:
    5,929
    Patrick Page
    Sep 13, 2004
  4. =?Utf-8?B?TWFya28=?=

    Trouble installing the peer-to-peer component

    =?Utf-8?B?TWFya28=?=, Dec 27, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,334
  5. Arterion
    Replies:
    0
    Views:
    864
    Arterion
    Nov 9, 2007
Loading...

Share This Page