Re: redistribute bgp considered harmful

[Iljitsch van Beijnum <iljitsch () muada com>]

On Mon, 7 Oct 2002, David Luyer wrote:

> > But not allowing BGP -> IGP -> BGP might be a good one. On the other hand,
> > someone who is determined to screw up could do BGP -> IGP on one router
> > and IGP -> BGP on another.

> I've seen that done.  And usefully.

But it's just too dangerous.

> Any feature can be useful, but you just have to be very careful and
> very aware of what you're doing and why it is evil.  If you can
> carefully select the routes via, say, nexthop, filter them correctly
> and know what ASN to insert them into, then you can use an IGP to
> transport routes between two ASNs (or more, if you match various
> nexthops and use them to insert into different ASNs).

The trouble is that it is way too easy to screw it up. Even if you think
you are doing everything right, unexpected results can ensue. For
instance, not so long ago I discovered that our favorite router vendor
starting with a C doesn't offer any way to change filters without leaking
routes. Old config:

router bgp 123
 neighbor 4.5.6.7 prefix-list a out

And then I typed:

router bgp 123
 neighbor 4.5.6.7 prefix-list b out

Doing this triggered upstream max prefixes two out of three times, so
routes that weren't allowed by either the old _or_ the new filter managed
to slip through.

> Imagine ISP A and ISP B are BGP-speakers with only a small amount of
> peering traffic, and an asymmetric flow (say ISP B is a small, modem
> customer only ISP, and ISP A have a bit of content and a slightly
> larger customer base).

> Now say ISP A and ISP B peer for some reason, and ISP A uses BGP as
> their only interstate routing protocol, so they need the routes to
> appear in their BGP table.

Ok, but what about the BGP -> IGP redistribution? This part doesn't seem
necessary here. In this case ISP A seems to use BGP for interior purposes
(as many networks do these days) so it seems unlikely they also
redistribute BGP into the IGP, which was mainly done long ago.

> ISP B could be using a Cisco 827 (RIPv2 only) to connect to ISP A's
> ADSL product via L2TP.

> ISP A could be putting ISP B into a VRF and then forwarding them
> off to a small router (eg, an old 1000-series, with an IOS before
> BGP was removed from them[1]), which they peer via BGP back to their
> regular network (having configured it in ISP B's ASN), and insert
> the routes (after filtering) from RIPv2 into BGP.

Wouldn't configuring a tunnel between BGP-capable routers in each AS be
much simpler?

> Of course, this is probably a good argument -not- to support IGP
> into BGP distribution, because someone might use it for something
> like the above! :-)

I rest my case.   (-:

Iljitsch