[nsp] BGP TTL Security Check

Harold Ritter hritter at cisco.com
Sat Apr 24 17:09:41 EDT 2004 

Andre,

At 10:30 PM 4/24/2004 +0200, Andre Chapuis wrote:
>Does not seem to work correctly, then ...
>I tried several values fo a directly-connected peer, and the only value 
>leaving the session up is 254 -> It seems:

Did you configure at both peers?

>1. The TTL is decremented before the router processes it

TTL is not decremented for packets destined to the router itself.

>2. The value you give is the max TTL allowed, which is a non-sense and 
>does not bring anything...

You set the TTL to 255 on the sending side and expect 255 on the receiving 
side if the neighbor is directly connected. What doesn't make sense?


>Who set ip up successfully ?
>
>André
>
>----- Original Message -----
>From: "Harold Ritter" <hritter at cisco.com>
>To: "Andre Chapuis" <chapuis at ip-plus.net>
>Cc: "Gert Doering" <gert at greenie.muc.de>; "Danny McPherson" 
><danny at tcb.net>; <cisco-nsp at puck.nether.net>
>Sent: Saturday, April 24, 2004 9:50 PM
>Subject: Re: [nsp] BGP TTL Security Check
>
>
>Andre,
>
>At 07:32 PM 4/24/2004 +0200, Andre Chapuis wrote:
> >So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
> >= > 2 questions
> >1. is the value the min-ttl allowed or 255-the max ttl allowed
>
>If peers are directly connected, you would set the hops value to 1
>(therefore requiring the TTL to be 255 in incoming BGP packets).
>
> >2. is the router first decrementing the TTL and then processing the packet
> >? which would seem logical to me but ....
>
>For packets that are not destined to the local router, the TTL is
>decremented and then forwarded if TTL is greater than 0. TTL is not
>decremented if packets are destined to the local router.
>
>
> >André
> >
> >----- Original Message -----
> >From: "Gert Doering" <gert at greenie.muc.de>
> >To: "Danny McPherson" <danny at tcb.net>
> >Cc: <cisco-nsp at puck.nether.net>
> >Sent: Saturday, April 24, 2004 12:30 PM
> >Subject: Re: [nsp] BGP TTL Security Check
> >
> >
> >Hi,
> >
> >On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> > > The documentation is indeed correct.
> >
> >No.  Some statements clearly point out that the author had no idea what he
> >was talking about.
> >
> >The most prominent part is this one (repeated a couple of times):
> >
> >"The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
> >Because the hop-count argument is set to 2, BGP will only accept IP packets
> >with a TTL count in the header that is equal to or greater than 2. "
> >
> >comparing to "equal to or greater than 2" would be mostly useless - it
> >needs to compare to "equal to or greater than 254" to be of any use
> >against spoofed packets.
> >
> >I assume that the programmers knew what they were doing (even if the
> >way it's configured - by # of hops, instead of specifying the expected
> >TTL - is confusing in itself) but the person who wrote the documentation
> >really didn't.  Which is a shame - usually Cisco docs are very good.
> >
> >gert
> >
> >--
> >USENET is *not* the non-clickable part of WWW!
> >
> >//www.muc.de/~gert/
> >Gert Doering - Munich, 
> Germany                             gert at greenie.muc.de
> >fax: 
> +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>Harold Ritter, CCIE 4168 (R&S / SP)
>Advanced Services - Canada
>Cisco Systems
>1414 Massachusetts Avenue
>Boxborough, MA 01719 USA
>Phone: 978 936 1431
>Cisco Systems- "Empowering the Internet Generation."
>
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Harold Ritter, CCIE 4168 (R&S / SP)
Advanced Services - Canada
Cisco Systems
1414 Massachusetts Avenue
Boxborough, MA 01719 USA
Phone: 978 936 1431
Cisco Systems- "Empowering the Internet Generation."

More information about the cisco-nsp mailing list