[nsp] BGP TTL Security Check
Gert Doering
gert at greenie.muc.de
Sun Apr 25 04:20:20 EDT 2004
Hi,
On Sat, Apr 24, 2004 at 07:32:37PM +0200, Andre Chapuis wrote:
> So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
> = > 2 questions
As far as I understand the docs, you have to set it to "1" for directly
adjacent neighbours.
> 1. is the value the min-ttl allowed or 255-the max ttl allowed
To make sense, the check would have to test TTL_incoming >= 255-$value
(or 256-$value).
> 2. is the router first decrementing the TTL and then processing the packet ? which would seem logical to me but ....
I can't see any strong reason why it would have to be that way (or the
other way round) - so I'd file it under "implementation dependent".
It doesn't really matter, as long as the router itself knows what its
doing, and adjusts the check appropriately.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list