[nsp] BGP TTL Security Check
Gert Doering
gert at greenie.muc.de
Sat Apr 24 06:30:20 EDT 2004
Hi,
On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> The documentation is indeed correct.
No. Some statements clearly point out that the author had no idea what he
was talking about.
The most prominent part is this one (repeated a couple of times):
"The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
Because the hop-count argument is set to 2, BGP will only accept IP packets
with a TTL count in the header that is equal to or greater than 2. "
comparing to "equal to or greater than 2" would be mostly useless - it
needs to compare to "equal to or greater than 254" to be of any use
against spoofed packets.
I assume that the programmers knew what they were doing (even if the
way it's configured - by # of hops, instead of specifying the expected
TTL - is confusing in itself) but the person who wrote the documentation
really didn't. Which is a shame - usually Cisco docs are very good.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list