[nsp] BGP TTL Security Check

Gert Doering gert at greenie.muc.de
Sun Apr 25 04:20:20 EDT 2004


Hi,

On Sat, Apr 24, 2004 at 07:32:37PM +0200, Andre Chapuis wrote:
> So do we have to set 'neighbor TTL-security 1, 2, 254 or 255' ?
> = > 2 questions

As far as I understand the docs, you have to set it to "1" for directly
adjacent neighbours.

> 1. is the value the min-ttl allowed or 255-the max ttl allowed

To make sense, the check would have to test TTL_incoming >= 255-$value
(or 256-$value).

> 2. is the router first decrementing the TTL and then processing the packet ? which would seem logical to me but ....

I can't see any strong reason why it would have to be that way (or the
other way round) - so I'd file it under "implementation dependent".

It doesn't really matter, as long as the router itself knows what its
doing, and adjusts the check appropriately.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list