[nsp] BGP TTL Security Check
Gert Doering
gert at greenie.muc.de
Sat Apr 24 06:26:32 EDT 2004
Hi,
On Fri, Apr 23, 2004 at 07:16:49PM -0500, Roger wrote:
> I thought this would be a great way to secure BGP sessions as most BGP
> peers are within the same subnet, ie each peer only needing a TTL of 1
> to communicate. However the docs on this appear backwards to me..
A TTL of 1 (at the target system) is very easy to achieve - just send
packet with the proper "start" TTL, and all the routers on the path
will happily adapt the TTL for you, so that it ends up with a TTL of 1.
The BGP TTL trick is: send packets with a TTL of 255, and the receiver
validates that the TTL is 255 indeed. If the TTL is lower, the packet
didn't come from an adjacent neighbor, and must be dropped.
Unfortunately, the person that wrote the Cisco documentation didn't
understand that either. There are some statements in the docs that are
*fundamentally* wrong.
> router bgp 100
> no synchronization
> bgp log-neighbor-changes
> neighbor 192.168.0.1 remote-as 100
> neighbor 192.168.0.1 ttl-security hops 2
This will mean "your router sends out packets with a TTL of 255, and
all incoming packets will only be accepted if their TTL is 254 or 255".
[..]
> The above statement w/ docs say a spoofed packet, supposivly from
> 192.168.0.1, w/ a ttl of say 20 is perfectly fine, even though we'd know
> that can't be true because the TTL is just way to high for a ip address
> in the same subnet.
The other way around. A *low* TTL is very easy to achieve for a spoofing
sender. But it's impossible to get a *high* TTL spoofed.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list