BGP session reset in one packet [where a looking glass or route server is available]
It's not the general case, however... Some looking glass CGIs (in some cases, into production routers) permit "sh ip bgp nei <x>" -- try typing "sum" and then "nei x.x.x.x" into the "show ip bgp" box on a looking glass CGI, or using the command on a route server with CLI access. This gives you: Local host: [...], Local port: 179 Foreign host: [...], Foreign port: 29626 [...] iss: 770717974 snduna: 770746699 sndnxt: 770746699 sndwnd: 15472 irs: 431124262 rcvnxt: 440258849 rcvwnd: 15433 delrcvwnd: 951 [...] A traceroute will give you the information you need to estimate the TTL, and from there it's a single packet to reset the BGP session. If the looking glass is into a dedicated router, this achieves little more than causing the other routers to have to continually re-send their tables to the looking-glass; but if it's into a production router, well, it's a little more significant. And that _is_ sufficient to do a BGP session reset in one packet as the router is happily handing out sequence numbers, source and destination IP, source and destination port. Summary: if you don't want to do TCP MD5 auth on your BGP sessions, at least restrict "show tcp" and "show ip bgp nei" in all looking glasses and make sure your peers are not permitting them either in their directly attached routers. David.
participants (1)
-
David Luyer