BGP advertisement on all IP addresses

Hi, When enabling BGP on a single external IP address, the router is listening on port 179 on all the locally configured external IP addresses on the external interface to the internet world, should this only listen to the configured neighbor ips only? is this going to be fixed in the future versions?

It’s common practice to use an internal loopback interface for BGP neighboring, instead of using the interface where your BGP is reachable.
Your suggestion will break that behavior.

If you want to protect your BGP process (which is a good thing to begin with), apply firewall rules

No, when you enable BGP on Juniper router (at least for 14.1 software) - BGP process binds on all interfaces/ips:

root@qfx:RE:0% netstat -a -n | grep 179 | grep LISTEN 
tcp46      0      0  *.179                                         *.*                                           LISTEN
tcp4       0      0  *.179                                         *.*                                           LISTEN

When connection establishes from unconfigured peer - bgp session goes down immediatelly after sending notify:

Jul 12 17:10:18.315883 BGP SEND Notification code 6 (Cease) subcode 5 (Connection Rejected) Jul 12 17:10:18.315909 bgp_listen_accept:4781: NOTIFICATION sent to 10.10.10.12+58710 (proto): code 6 (Cease) subcode 5 (Connection Rejected), Reason: Connection attempt from unconfigured neighbor: 10.10.10.12+58710
BUT Juniper ACCEPT connection to ANY local address if connection comes from valid peer.

VyOS/quagga listens on all interfaces but immediately closes connection from invalid peers (without notify).

Juniper gives you some magic with dynamic prefix-lists with apply-path and lo0-attached filter, it discard any unwanted connections without typing firewall rules/addresses for peers. You can use “local” filter on all interfaces in VyOS if you really need such filtering.

1 Like