[nsp] BGP TTL Security Check
Andre Chapuis
chapuis at ip-plus.net
Sat Apr 24 16:30:18 EDT 2004
Does not seem to work correctly, then ...
I tried several values fo a directly-connected peer, and the only value leaving the session up is 254 -> It seems:
1. The TTL is decremented before the router processes it
2. The value you give is the max TTL allowed, which is a non-sense and does not bring anything...
Who set ip up successfully ?
André
----- Original Message -----
From: "Harold Ritter" <hritter at cisco.com>
To: "Andre Chapuis" <chapuis at ip-plus.net>
Cc: "Gert Doering" <gert at greenie.muc.de>; "Danny McPherson" <danny at tcb.net>; <cisco-nsp at puck.nether.net>
Sent: Saturday, April 24, 2004 9:50 PM
Subject: Re: [nsp] BGP TTL Security Check
Andre,
At 07:32 PM 4/24/2004 +0200, Andre Chapuis wrote:
>So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
>= > 2 questions
>1. is the value the min-ttl allowed or 255-the max ttl allowed
If peers are directly connected, you would set the hops value to 1
(therefore requiring the TTL to be 255 in incoming BGP packets).
>2. is the router first decrementing the TTL and then processing the packet
>? which would seem logical to me but ....
For packets that are not destined to the local router, the TTL is
decremented and then forwarded if TTL is greater than 0. TTL is not
decremented if packets are destined to the local router.
>André
>
>----- Original Message -----
>From: "Gert Doering" <gert at greenie.muc.de>
>To: "Danny McPherson" <danny at tcb.net>
>Cc: <cisco-nsp at puck.nether.net>
>Sent: Saturday, April 24, 2004 12:30 PM
>Subject: Re: [nsp] BGP TTL Security Check
>
>
>Hi,
>
>On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> > The documentation is indeed correct.
>
>No. Some statements clearly point out that the author had no idea what he
>was talking about.
>
>The most prominent part is this one (repeated a couple of times):
>
>"The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
>Because the hop-count argument is set to 2, BGP will only accept IP packets
>with a TTL count in the header that is equal to or greater than 2. "
>
>comparing to "equal to or greater than 2" would be mostly useless - it
>needs to compare to "equal to or greater than 254" to be of any use
>against spoofed packets.
>
>I assume that the programmers knew what they were doing (even if the
>way it's configured - by # of hops, instead of specifying the expected
>TTL - is confusing in itself) but the person who wrote the documentation
>really didn't. Which is a shame - usually Cisco docs are very good.
>
>gert
>
>--
>USENET is *not* the non-clickable part of WWW!
>
>//www.muc.de/~gert/
>Gert Doering - Munich, Germany gert at greenie.muc.de
>fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
Harold Ritter, CCIE 4168 (R&S / SP)
Advanced Services - Canada
Cisco Systems
1414 Massachusetts Avenue
Boxborough, MA 01719 USA
Phone: 978 936 1431
Cisco Systems- "Empowering the Internet Generation."
More information about the cisco-nsp
mailing list