[nsp] BGP TTL Security Check
Dennis Peng
dpeng at cisco.com
Tue Apr 27 17:50:25 EDT 2004
Gert Doering [gert at greenie.muc.de] wrote:
> Hi,
>
> On Fri, Apr 23, 2004 at 08:28:44PM -0600, Danny McPherson wrote:
> > The documentation is indeed correct.
>
> No. Some statements clearly point out that the author had no idea what he
> was talking about.
>
> The most prominent part is this one (repeated a couple of times):
>
> "The following example sets the hop count to 1 for the 10.1.1.1 neighbor.
> Because the hop-count argument is set to 2, BGP will only accept IP packets
> with a TTL count in the header that is equal to or greater than 2. "
>
> comparing to "equal to or greater than 2" would be mostly useless - it
> needs to compare to "equal to or greater than 254" to be of any use
> against spoofed packets.
>
> I assume that the programmers knew what they were doing (even if the
> way it's configured - by # of hops, instead of specifying the expected
> TTL - is confusing in itself) but the person who wrote the documentation
> really didn't. Which is a shame - usually Cisco docs are very good.
Thanks for bringing this to our attention. The document has been
fixed.
Dennis
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list