[c-nsp] BGP TTL check (GTSM)

bill fumerola billf at mu.org
Wed Jun 18 15:28:35 EDT 2008


On Wed, Jun 18, 2008 at 11:47:14AM -0500, Justin Shore wrote:
> Has anyone run into any problems with the BGP TTL security check?  I've 
> tried to configure it a couple of times on our eBGP peers with no luck. 
>  The BGP session is eventually dropped after the hold time expires.  It 
> should be extremely easy to configure but for some reason it always fails.
> 
>  neighbor a.b.c.d ttl-security hops 1

as others have explained, this doesn't work the way it seems it should
work.  i got bit by the same line of thinking.

ideally, you could just examine/infer the TTL of incoming packets and do:

   neighbor a.b.c.d ttl-security min-hops 255

and that would drop any packets from neighbor a.b.c.d with less than 255
in the TTL field.

less braindead operating systems can provide this simple functionality.
why IOS can read ip options but not TTL is a mystery to me. the former
is a variable length often in a variable position, the latter is in a
fixed position and the fields on either side are read indirectly (for
frag match) or directly (for protocol). this protection would go far in
protecting (e.g.) peering interfaces from MD5 cpu starvation attacks.

-- bill


More information about the cisco-nsp mailing list