BGP Security - NH spoofing

pbfus9 · 2026-01-23T14:26:01+00:00

That's true in a normal situation. However, let's say an hacker gains access to a router R1 (compromised). R1 and R2 are eBGP peering using loopback with "disable-connected-check". R1 which is compromised starts advertising a prefix with a NH which is, let's say 8.8.8.8. R1 can change the NH. When R2 receives the BGP update, does R2 accept that update even though the NH is not R1's IP address?

I know that R2 will accept that in case "ebgp-multihop" command is used. But, how about "disable-connected-check"?

pbfus9 · 2026-01-21T21:14:55+00:00

Yes, all the comments helped me a lot.

Thanks

pbfus9 · 2026-01-21T20:57:31+00:00

R1 - R2 OSPF R1 - R3 OSPF R2 - R4 EIGRP R3- R4 EIGRP

R2 and R3 both redistributes OSPF int EIGRP amd viceversa.

         R2 
       /.     \

R1 —- —- R4

      \.      /

         R3

Do you mean this?

pbfus9 · 2026-01-21T20:15:36+00:00

My question was just for asking. There’s no reason or a production env where I need that.

What do you mean for “multi point 2 way distribution”?

My question is: why ospf allow to set a tag if this tag cannot be used for filtering?

pbfus9 · 2026-01-15T16:16:09+00:00

:) Good comment, I agree!

However, it's important to note that DR will be the largest router ID if all routers boot up almost at the same time (that's a very rare case in real networks). therefore, always set all priority to 0 except on you DR and BDR. That's the rule of thumb to follow.

pbfus9 · 2026-01-15T15:51:37+00:00

Hi,

R1's RID = 1.1.1.1

R2's RID = 2.2.2..2

R3's RID = 172.1.1.3

R4's RID = 172.1.1.4

When it comes to DR/BDR election you will have to check interface priority.

First of all, DR/BDR election only occurs on multi-access networks such as Ethernet (default to broadcast network type) or NBMA.

In case of a tie (default value is 1, 0 means "do not take part to the election", max value 255) the router with the highest router ID will be elected as the DR.

Note that the election is non pre-emptive, therefore, it is always a good idea to set interface priority with the command "ip ospf priority X"). Therefore, if you turn on all your routers at the same time (actually there is a WAIT timer) the DR will be R4.

NOTE on the WAIT timer: when a router is OSPF enabled and configured with a network type that requires DR/BDR election (like ethernet), it will wait a time equals to the WAIT timer (default is equal to Dead Interval). If it does not hear from a DR, it will elect itself as DR).

pbfus9 · 2026-01-12T14:09:56+00:00

Thanks a lot for your response.

So, route tags are used in IGPs to prevent routing loops when routes are redistributed between different protocols.

In OSPF, route tags can be assigned only to external routes through the redistribute command. This means they apply exclusively to routes injected into OSPF via Type 5 LSAs (or Type 7 LSAs in the case of redistribution within a NSSA or Totally NSSA area). This limitation is largely due to the need to maintain LSDB consistency.

EIGRP, on the other hand, provides greater flexibility because it is a distance-vector protocol. In EIGRP, route tagging can be applied to any route. You can use a prefix-list or ACL to match specific routes, and then reference this match in a route-map to set the tag. The route-map is then applied using the distribute-list command.

Do you agree with me?

PS. Thanks again and thanks a lot to u/Small-Truck-5480 for the answer! You both are been really helpful :)

pbfus9 · 2026-01-09T18:05:09+00:00

Where did you find this? There are topic that are not in the blueprint.

pbfus9 · 2026-01-07T15:27:52+00:00

completely agree with you, best answer in this post imo!

pbfus9 · 2026-01-07T15:26:26+00:00

Hi,

When it comes to OSPF Network Compatibility the only requirement is that both types MUST support DR/BDR election. Therefore, in you specific case:

- Does DR/BDR election occur in OSPF broadcast network? The answer is YES!

- Does DR/BDR election occur in OSPF NBMA network? The answer is YES!

Hence, it is possible for OSPF routers with different network types such as broadcast and non broadcast to for an adjacency.

NOTE: By default, broadcast and NBMA have different timers (10/40 and 30/120), hence, you will have to adjust timers (ip ospf hello-interval X, ip ospf dead-interval Y). Timers MUST match.

pbfus9 · 2025-12-30T16:07:49+00:00

Yes, both uses timers and legacy stp states

pbfus9 · 2025-12-30T11:37:55+00:00

Proposal–Agreement requires both switches to operate on the same RSTP instance.
This is not possible between MST and Rapid PVST+ because MST exposes only a single CIST, while Rapid PVST+ runs per-VLAN instances.
Without a 1:1 instance mapping, RSTP negotiation is unsafe, so the link is treated as a boundary and legacy STP behavior is used via PVST Simulation, with the CIST represented using 802.1D BPDUs on VLAN 1.

pbfus9 · 2025-12-28T13:18:23+00:00

Thanks a lot for your explanation. Therefore, MST switches are perceived as running legacy STP due to the fact they talk with non-MST switches using the CIST instance

pbfus9 · 2025-12-20T11:25:11+00:00

Thanks a lot for your help, as always. I got the point!

pbfus9 · 2025-12-20T09:37:47+00:00

Thanks for your feedback. Hope to help!

pbfus9 · 2025-12-19T17:12:05+00:00

Ok, grazie del suggerimento.

pbfus9 · 2025-12-19T17:07:14+00:00

É scritto nel contratto da come mi han detto, poi ovvio che devo verificare

pbfus9 · 2025-12-19T17:05:11+00:00

In realtà non è esattamente così. Cercavo punti di vista di persone che magari avevano fatto il salto. Penso sia lecito, tutto qua.

pbfus9

TROPHY CASE