[nsp] BGP TTL Security Check
Roger
grunky at rockriver.net
Fri Apr 23 20:16:49 EDT 2004
In light of the recent tcp window vunerability I looked around for other
ways, besides md5 auth, to secure my BGP sessions. I ran across this:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s27/s_btsh.htm
I thought this would be a great way to secure BGP sessions as most BGP
peers are within the same subnet, ie each peer only needing a TTL of 1
to communicate. However the docs on this appear backwards to me..
-----
This feature protects the eBGP peering session by comparing the value in
the TTL field of received IP packets against a hop count that is
configured locally for each eBGP peering session. If the value in the
TTL field of the incoming IP packet is greater than or equal to the
locally configured value, the IP packet is accepted and processed
normally. If the TTL value in the IP packet is less than the locally
configured value, the packet is silently discarded and an ICMP message
is not generated.
-----
Shouldn't this be the other way around?? ie If ip packet has TTL
greater then say 2 then drop the packet w/ no ack/response?
If I have a eBGP session setup like w/ the peers addresses being
192.168.0.1
192.168.0.2
in a /30 AND if I configure
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 192.168.0.1 remote-as 100
neighbor 192.168.0.1 ttl-security hops 2
no auto-summary
The above statement w/ docs say a spoofed packet, supposivly from
192.168.0.1, w/ a ttl of say 20 is perfectly fine, even though we'd know
that can't be true because the TTL is just way to high for a ip address
in the same subnet.
Shouldn't the ttl-security hops parameter be a MAX ttl? instead of the min?
The section marked:
Verifying the TTL-Security Check Configuration: Example
gave the bold output
External BGP neighbor may be up to 2 hops away.
which implies a upper limit. I think they flip-floped this in the
middle of the docs.
Is this the correct interpretation? If I'm flat wrong someone please
explain this to me...
Thanks.
More information about the cisco-nsp
mailing list