[nsp] BGP TTL Security Check

Harold Ritter hritter at cisco.com
Sat Apr 24 15:50:25 EDT 2004 

Andre,

At 07:32 PM 4/24/2004 +0200, Andre Chapuis wrote:
>So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
>= > 2 questions
>1. is the value the min-ttl allowed or 255-the max ttl allowed

If peers are directly connected, you would set the hops value to 1 
(therefore requiring the TTL to be 255 in incoming BGP packets).

>2. is the router first decrementing the TTL and then processing the packet 
>? which would seem logical to me but ....

For packets that are not destined to the local router, the TTL is 
decremented and then forwarded if TTL is greater than 0. TTL is not 
decremented if packets are destined to the local router.


>André
>
>----- Original Message -----
>From: "Gert Doering" <gert at greenie.muc.de>
>To: "Danny McPherson" <danny at tcb.net>
>Cc: <cisco-nsp at puck.nether.net>
>Sent: Saturday, April 24, 2004 12:30 PM
>Subject: Re: [nsp] BGP TTL Security Check
>
>
>Hi,
>
>On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> > The documentation is indeed correct.
>
>No.  Some statements clearly point out that the author had no idea what he
>was talking about.
>
>The most prominent part is this one (repeated a couple of times):
>
>"The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
>Because the hop-count argument is set to 2, BGP will only accept IP packets
>with a TTL count in the header that is equal to or greater than 2. "
>
>comparing to "equal to or greater than 2" would be mostly useless - it
>needs to compare to "equal to or greater than 254" to be of any use
>against spoofed packets.
>
>I assume that the programmers knew what they were doing (even if the
>way it's configured - by # of hops, instead of specifying the expected
>TTL - is confusing in itself) but the person who wrote the documentation
>really didn't.  Which is a shame - usually Cisco docs are very good.
>
>gert
>
>--
>USENET is *not* the non-clickable part of WWW!
> 
>//www.muc.de/~gert/
>Gert Doering - Munich, Germany                             gert at greenie.muc.de
>fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Harold Ritter, CCIE 4168 (R&S / SP)
Advanced Services - Canada
Cisco Systems
1414 Massachusetts Avenue
Boxborough, MA 01719 USA
Phone: 978 936 1431
Cisco Systems- "Empowering the Internet Generation."

More information about the cisco-nsp mailing list