[nsp] BGP TTL Security Check

Dennis Peng dpeng at cisco.com
Tue Apr 27 17:50:25 EDT 2004


Gert Doering [gert at greenie.muc.de] wrote:
> Hi,
> 
> On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> > The documentation is indeed correct.  
> 
> No.  Some statements clearly point out that the author had no idea what he
> was talking about.
> 
> The most prominent part is this one (repeated a couple of times):
> 
> "The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
> Because the hop-count argument is set to 2, BGP will only accept IP packets
> with a TTL count in the header that is equal to or greater than 2. "
> 
> comparing to "equal to or greater than 2" would be mostly useless - it
> needs to compare to "equal to or greater than 254" to be of any use 
> against spoofed packets.
> 
> I assume that the programmers knew what they were doing (even if the
> way it's configured - by # of hops, instead of specifying the expected
> TTL - is confusing in itself) but the person who wrote the documentation
> really didn't.  Which is a shame - usually Cisco docs are very good.

Thanks for bringing this to our attention. The document has been
fixed.

Dennis

> gert
> 
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list