[nsp] bgp vulnerability

Gert Doering gert at greenie.muc.de
Thu Apr 22 11:49:29 EDT 2004


Hi,

On Thu, Apr 22, 2004 at 10:44:16AM +0500, Majid Siddiq wrote:
> Spoofed packets for BGP can be blocked if say someone add a feature in the
> bgp implementation to check the TTL of 255. The directly connected neighbor
> should source it with 255 TTL instead of 1. This should defeat the spoofed
> packets sourced from more than one hop. 
> 
> Just a thought; maybe cisco can think on these lines.

Implemented in 12.3(7)T and 12.0(27)S.    Search www.cisco.com for "BGP TTL".

Unfortunately the documentation seems to have been written by someone who
completely misunderstands what it's all about.

<ObRant>
Also, there is no support in 12.2S and all the other releases ISPs need 
to use due to feature disparity / lack of hardware support between all 
those interesting IOS trains...
</ObRant>

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list