Re: Multi-homed clients and BGP timers

We have customers in the same way you do. We only use Cisco (both pop routers and managed cpe) and use neighbor xxx.xxx.xxx.xxx timers 5 15 on the pop routers with great success. We haven't found any drawback so far. // OK On Sat, May 23, 2009 at 12:45 AM, Steve Bertrand wrote: > Hi all, > > I

Re: AH or ESP

Glen, IPSECME WG at IETF is actually working on the exact issue that you have described (unable to deep inspect ESP-NULL packets). You can look at draft-ietf-ipsecme-traffic-visibility-02

Re: Multi-homed clients and BGP timers

* Iljitsch van Beijnum: > 30 60 isn't a good choice because that means that after 30.1 seconds a > keepalive comes in and then after 60.0 seconds the session will expire > while the second one would be there in 60.1 seconds. Wouldn't the underlying TCP retry sooner than that?

IXP BGP timers (was: Multi-homed clients and BGP timers)

What's the BCP for BGP timers at exchange points? I imagine if everyone did something low like 5-15 rather than the default 60-180, CPU usage increase could be significant given a high number peers. Keeping in mind that "bgp fast-external-failover" is of no use at an exchange since the fabric i

Re: Multi-homed clients and BGP timers

On May 25, 2009, at 11:33 AM, Florian Weimer wrote: * Iljitsch van Beijnum: 30 60 isn't a good choice because that means that after 30.1 seconds a keepalive comes in and then after 60.0 seconds the session will expire while the second one would be there in 60.1 seconds. Wouldn't the und

Re: IXP BGP timers (was: Multi-homed clients and BGP timers)

Hi Chris, .-- My secret spy satellite informs me that at Mon, 25 May 2009, Chris Caputo wrote: > Would going below 60-180 without first discussing it with your peers, tend > to piss them off? 60-180 is fairly conservative. 60-180 is the Cisco default I believe, however Junipers defaults are 30

RE: IXP BGP timers (was: Multi-homed clients and BGP timers)

For those in multivendor environments, it's worth also being aware that since 7.6R1 JunOS sets the minimum BGP hold timer to 20 seconds. If I were creating a standard timer config to deploy consistently on customer peers (and needed something on the fast side in timer terms) I would need to take

Re: Multi-homed clients and BGP timers

* Danny McPherson: > On May 25, 2009, at 11:33 AM, Florian Weimer wrote: > >> * Iljitsch van Beijnum: >> >>> 30 60 isn't a good choice because that means that after 30.1 >>> seconds a >>> keepalive comes in and then after 60.0 seconds the session will >>> expire >>> while the second one would be t

Re: AH or ESP

Yeah - the main issue with using ESP is that there's a trailer at end of packet that tells you more info to determine whether you can inspect the packet. So you have to look at the end of the packet to see whether ESP is using encryption or null-encryption (i.e. just integrity protection).

Re: AH or ESP

Not really. Currently, you cant even look at the ESP trailer to determine if its an encrypted or an integrity protected packet, because the trailer itself could be encrypted. A router, by reading the next-header field from the ESP trailer can never be sure that its an OSPFv3 packet inside since i

Re: AH or ESP

Just a quick question: Why do we need AH when we have ESP-NULL? Is AH now being supported only for legacy reasons? The only negative with ESP-NULL afaik was that it could not be filtered (since packets could not be inspected), however, this changes with the "wesp" proposal. Also, the fact that AH i

Re: AH or ESP

Coming from someone who is somewhat jaded.politics. Realistically there are some folks who believe that not having the IP header (and with v6 also the option headers) integrity protected is an issue. It's not. You have more risk of operation issues from adding complexity of AH.not

Re: AH or ESP

Hmm .. besides this, AH is *never* export restricted. Also, i could be mistaken, but isnt AH compliance mandatory in IPv6? Earlier there were some issues in using ESP with TCP performance enhancement proxies used in wireless networks, which couldnt deep inspect the ESP packets to extract TCP flow

Re: AH or ESP

IPsec as a whole is compliance mandatory for IPv6 although for new version of IPv6 Node requirements that came out recently I think they changed that to a 'SHOULD'. Wireless devices (phones) have issues with battery life when IPsec implemented. Note that all standards say ESP-Null is 'MUS