[nsp] BGP TTL Security Check
Gert Doering
gert at greenie.muc.de
Sun Apr 25 04:17:15 EDT 2004
Hi,
On Sat, Apr 24, 2004 at 11:53:41AM -0500, Roger wrote:
> >>192.168.0.1, w/ a ttl of say 20 is perfectly fine, even though we'd know
> >>that can't be true because the TTL is just way to high for a ip address
> >>in the same subnet.
> >The other way around. A *low* TTL is very easy to achieve for a spoofing
> >sender. But it's impossible to get a *high* TTL spoofed.
>
> Ok thanks Gert - the problem spawned from the fact that I though ip
> packets going to hosts in the same subnet should have low ttls as
> they're not going to be routed anyway..
This was the "classic" approach - eBGP packets having a TTL of 1, so
they would only reach the target router if it's directly adjacent. Which
is a safeguard to prevent eBGP from establishing a multihop session if
a direct link is down - potentially creating routing loops or other
funnies.
The receiver can't validate whether a packet coming in with a TTL of 1
has been originated "directly adjacent" or "somewhere else with a
precisely calculated TTL".
("ebgp-multihop 5" will accordingly source packets with a TTL of 5)
> If packets being set, even to hosts on the same subnet, have a ttl of
> 255 for starters then yes - the docs make a bit more scense.
This is the trick :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list