Many moons ago, Mike O'Dell had a pithy observation about "can" vs. "should" that is escaping me at this moment, which is a pity since it almost certainly applies here.
-r Dave Waters <[email protected]> writes: > Because BFD packets can get routed across multiple hops. Unlike EBGP where > you connect to a > peer in a different AS and you have a direct connection, BFD packets can > traverse multiple > hops to reach the endpoint. > > > > In case of multihop BFD the BFD packets also get re-routed when the topology > changes so you > can almost never bet on the TTL value to secure the protocol. > > > > Dave > > > > On Tue, Feb 17, 2015 at 7:03 AM, Rob Seastrom <[[[email protected]]]> wrote: > > Dave Waters <[[[email protected]]]> writes: > > > > > [[http://www.reddit.com/r/networking/comments/2vxj9u/very_elegant_and_a_simple_way_to_secure_bfd/]] > > > > Authentication mechanisms defined for IGPs cannot be used to protect > BFD > > since the rate at which packets are processed in BFD is very high. > > > > Dave > > > > > One might profitably ask why BFD wasn't designed to take advantage of > high-TTL-shadowing, a la draft-gill-btsh. > > -r > > >
