[nsp] BGP TTL Security Check

Andre Chapuis chapuis at ip-plus.net
Sat Apr 24 13:32:37 EDT 2004


So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
= > 2 questions
1. is the value the min-ttl allowed or 255-the max ttl allowed
2. is the router first decrementing the TTL and then processing the packet ? which would seem logical to me but ....

André

----- Original Message ----- 
From: "Gert Doering" <gert at greenie.muc.de>
To: "Danny McPherson" <danny at tcb.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Saturday, April 24, 2004 12:30 PM
Subject: Re: [nsp] BGP TTL Security Check


Hi,

On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> The documentation is indeed correct.

No.  Some statements clearly point out that the author had no idea what he
was talking about.

The most prominent part is this one (repeated a couple of times):

"The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
Because the hop-count argument is set to 2, BGP will only accept IP packets
with a TTL count in the header that is equal to or greater than 2. "

comparing to "equal to or greater than 2" would be mostly useless - it
needs to compare to "equal to or greater than 254" to be of any use
against spoofed packets.

I assume that the programmers knew what they were doing (even if the
way it's configured - by # of hops, instead of specifying the expected
TTL - is confusing in itself) but the person who wrote the documentation
really didn't.  Which is a shame - usually Cisco docs are very good.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list